Re: Lots of Polish spam
On 25 Feb 2015, at 17:15, Yves Goergen wrote: Am 25.02.2015 um 20:42 schrieb Bill Cole: On 24 Feb 2015, at 17:06, Yves Goergen wrote: I can't block all archives with executable files in them. Then in all seriousness: why bother filtering email specifically for malware? Email is an inherently untrustworthy transport medium. Any sort of executable received via email that is not cryptographically signed by a trusted sender should be considered unsafe to run. If an executable is signed by a trusted sender, it can just as easily be encrypted to protect it from detection as an executable. If your users believe that you are providing them a valuableservice by allowing transport of executables via email, they are mistaken. You are putting them at unnecessary risk. I fully understand you, but tell that end users. I do. Based on my employer's logs and support requests, the frequency of actual user problems with an absolute omnidirectional ban on readily identified executables attached to email is at least 3 orders of magnitude smaller than the frequency of that ban excluding malware in the past 14 months. It is quite likely that some of our users have adopted mechanisms of evading the blockage and informed their correspondents of those mechanisms, which is a relatively low-risk issue -- a problem not worth trying to solve. They're already happy if they manage to get an e-mail with an attached file sent out. I've more than once thought about shutting down the FTP service due to repeated issues with it, requiring that users manage their files through SFTP. But FTP is still the most-used access protocol and the average webmaster(!) doesn't care or know about it all. Yes, I understand that a solid 50% of the human race consists of people with below-median intelligence. That's always been necessary to take into account and it is a persuasive reason to avoid targeting a mass market of users. Put another way: a customer who demands FTP instead of SFTP for anything other than anonymous downloading is too dumb to be worth serving. Your objection also applies to unencrypted HTTP downloads, BTW. Yes and no. No one is sent dozens of unsolicited malicious executables daily via unencrypted HTTP, mixed in with a handful of legitimate and possibly important messages that they are expected to see and respond to. A user seeking out a piece of software and transporting it in an insecure fashion is potentially problematic, but it is ultimately a consensual problem that is mitigated by things like file encryption and/or simple hash fingerprints to assure that receivers get the files senders believe they are sending. Whether receivers are good judges of sender integrity is a tougher problem, not readily solved by technical measures.
Re: Lots of Polish spam
From: Axb axb.li...@gmail.com Sent: Wednesday, February 25, 2015 4:32 AM To: users@spamassassin.apache.org Subject: Re: Lots of Polish spam On 02/25/2015 01:42 AM, Alex Regan wrote: Hi, On 02/24/2015 07:06 PM, Reindl Harald wrote: Am 25.02.2015 um 00:56 schrieb Alex Regan: Sophos reports it as Troj/Tinba-O, like most others on virustotal.com ClamAV does not detect anything suspicious. I really thought clamav was much better. Can you recommend a antivirus other than Sophos that works well with Linux/Fedora? Sophos is a no-go with Fedora, apparently as explained repeatly in this thread: ClamAV is a *fraemwork* and works well if you load the right signatures even SpamAssassin *is just a framework* without Bayes, URIBL, DNSBL and shared hash deployments far away from useable as a ready solution if you build up a spamfilter you can't just use anything out of the box and think you are done without invest in configuration and additional signatures as well as *learining* from real mail flow Yes, I *am* already using the additional signatures from sanesecurity and others. I've started to notice the efficacy suffering over the past months as users have been complaining and comments on this list (I assumed those that were commenting were also using the third-party signatures). I'm also just looking for a secondary scanner in addition to clamav to run in parallel to see how it compares... You may want to look into Cyren (was Commtouch) though it's NOT cheap. http://www.cyren.com/tl_files/downloads/CYREN-AntiVirus-for-Email.pdf also Dr. Web is suprisingly good for the price https://www.drweb.com/?lng=en I've also been using F-Prot for years and it catches quite a few corner cases and for the price it's well worth it. If anybody expects to get *cheap* multi-layer AV, forget it. E-set Nod32 is working very well for us. We licensed 8 mail filter boxes for not a lot of money. It's very fast too so we dropped our processing time in half from our McAfee AV down to 4-5 seconds per MailScanner batch. They quoted us pricing as a 5 user license per box: http://www.eset.co.uk/Business/Mail-Security/Linux-BSD-Solaris
Blocking .exe in zips (was Re: Lots of Polish spam)
On Tue, 24 Feb 2015 23:06:02 +0100 Yves Goergen nospam.l...@unclassified.de wrote: If the mail server now blocks all .exe in .zip without actually scanning the contents, they're going to complain. At some point, you need to be firm and take care of your users' security. We run a commercial filtering service and we unconditionally block exe (and scr, etc.) files whether directly attached or in an archive. We don't give our customers any say in the matter, though we do of course inform them of the policy up front. So far, no major complaints. The few who really need to send such files rename them to .ex_ before zipping them up. We have a fairly large userbase (more than 140,000) so I think we would have heard lots of complaints by now if people really couldn't live with the policy. Regards, David.
Re: Lots of Polish spam
On Feb 24, 2015, at 3:49 PM, Axb axb.li...@gmail.com wrote: On 02/24/2015 11:39 PM, LuKreme wrote: On Feb 24, 2015, at 15:24, Axb axb.li...@gmail.com wrote: *.pdf.zip is a dangerous one to block on sight - FP risk is huge Really? I've never seen a .pdf.zip that was legitimate. KDE: right click on a blah.pdf compress as Zip Archive and bang: blah.pdf.zip I can imagine other Linux Desktops doing the same. Dunno about Windows or Apple That would deb blah.zip on Windows and OS X, at least y default. I am not saying it is not possible to have a pdf.zip valid file, i am simply saying I have never seen one. I saw a virus load: name=Secure E-mail Quick Reference Guide - External Users-pdf.zip” But that only matched because I searched for .pdf.zip instead of \.pdf\.zip YMMV. -- Why can't you be in a good mood? How hard is it to decide to be in a good mood and be in a good mood once in a while?
Re: Lots of Polish spam
On 24 Feb 2015, at 17:06, Yves Goergen wrote: I can't block all archives with executable files in them. Then in all seriousness: why bother filtering email specifically for malware? Email is an inherently untrustworthy transport medium. Any sort of executable received via email that is not cryptographically signed by a trusted sender should be considered unsafe to run. If an executable is signed by a trusted sender, it can just as easily be encrypted to protect it from detection as an executable. If your users believe that you are providing them a valuableservice by allowing transport of executables via email, they are mistaken. You are putting them at unnecessary risk.
Re: Blocking .exe in zips (was Re: Lots of Polish spam)
On 2015-02-25 12:18, David F. Skoll wrote: On Tue, 24 Feb 2015 23:06:02 +0100 Yves Goergen nospam.l...@unclassified.de wrote: If the mail server now blocks all .exe in .zip without actually scanning the contents, they're going to complain. ... So far, no major complaints. The few who really need to send such files rename them to .ex_ before zipping them up. We have a fairly large userbase (more than 140,000) so I think we would have heard lots of complaints by now if people really couldn't live with the policy. Seconded. I run a small hosting company with email for hundreds of clients, I've had a grand total of 0 complaints about blocking EXE, SCR, COM and similar types. We maybe get one inquiry per year about it, but no one has ever had a problem with .ex_ solutions, and they generally understand and appreciate the approach. It scales up to large installations as well, Google blocks executable files (even if zipped) too, and they seem to be doing alright in the email world: https://support.google.com/mail/answer/6590?hl=en -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: Lots of Polish spam
On 2015-02-25 11:42, Bill Cole wrote: On 24 Feb 2015, at 17:06, Yves Goergen wrote: I can't block all archives with executable files in them. Then in all seriousness: why bother filtering email specifically for malware? I second this. Either go all the way, or don't do it, it's worse to leave users with a false sense of security. A mentality of The virus scanner says it's safe, so it won't do any harm is exceedingly dangerous. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: Lots of Polish spam
Am 25.02.2015 um 20:42 schrieb Bill Cole: On 24 Feb 2015, at 17:06, Yves Goergen wrote: I can't block all archives with executable files in them. Then in all seriousness: why bother filtering email specifically for malware? Email is an inherently untrustworthy transport medium. Any sort of executable received via email that is not cryptographically signed by a trusted sender should be considered unsafe to run. If an executable is signed by a trusted sender, it can just as easily be encrypted to protect it from detection as an executable. If your users believe that you are providing them a valuableservice by allowing transport of executables via email, they are mistaken. You are putting them at unnecessary risk. I fully understand you, but tell that end users. They're already happy if they manage to get an e-mail with an attached file sent out. I've more than once thought about shutting down the FTP service due to repeated issues with it, requiring that users manage their files through SFTP. But FTP is still the most-used access protocol and the average webmaster(!) doesn't care or know about it all. Your objection also applies to unencrypted HTTP downloads, BTW. -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
Am 25.02.2015 um 23:04 schrieb Dave Warren: I second this. Either go all the way, or don't do it, it's worse to leave users with a false sense of security. A mentality of The virus scanner says it's safe, so it won't do any harm is exceedingly dangerous. The virus scanner doesn't say anything at all. It is just an additional effort to keep unwanted e-mails away, just like the spam filter. Nobody claimed that there is any guarantee associated with it, not even for false rejects. Considering what still passes the filters this should quickly become obvious. -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
Am 25.02.2015 um 23:15 schrieb Yves Goergen: Am 25.02.2015 um 20:42 schrieb Bill Cole: On 24 Feb 2015, at 17:06, Yves Goergen wrote: I can't block all archives with executable files in them. Then in all seriousness: why bother filtering email specifically for malware? Email is an inherently untrustworthy transport medium. Any sort of executable received via email that is not cryptographically signed by a trusted sender should be considered unsafe to run. If an executable is signed by a trusted sender, it can just as easily be encrypted to protect it from detection as an executable. If your users believe that you are providing them a valuableservice by allowing transport of executables via email, they are mistaken. You are putting them at unnecessary risk. I fully understand you, but tell that end users do it They're already happy if they manage to get an e-mail with an attached file sent out. we disallow any executeable for many years now no problem, the ordinary enduser don't come to the idea send .exe files I've more than once thought about shutting down the FTP service due to repeated issues with it, requiring that users manage their files through SFTP. But FTP is still the most-used access protocol and the average webmaster(!) doesn't care or know about it all. completly different topic Your objection also applies to unencrypted HTTP downloads, BTW completly different topic your webserver don't push random binaries unasked to you your mailserver does controlled by foreigners if you allow it signature.asc Description: OpenPGP digital signature
Re: Blocking .exe in zips (was Re: Lots of Polish spam)
Am 25.02.2015 um 23:04 schrieb Dave Warren: On 2015-02-25 12:18, David F. Skoll wrote: So far, no major complaints. The few who really need to send such files rename them to .ex_ before zipping them up. We have a fairly large userbase (more than 140,000) so I think we would have heard lots of complaints by now if people really couldn't live with the policy. Seconded. I run a small hosting company with email for hundreds of clients, I've had a grand total of 0 complaints about blocking EXE, SCR, COM and similar types. We maybe get one inquiry per year about it, but no one has ever had a problem with .ex_ solutions, and they generally understand and appreciate the approach. It scales up to large installations as well, Google blocks executable files (even if zipped) too, and they seem to be doing alright in the email world: https://support.google.com/mail/answer/6590?hl=en That's an interesting point, I wouldn't have thought it could work. I was thinking about installing a private file sharing website for our users already (ad-free and with authentication only), so that could go together well with an announcement that executable files would no longer be allowed in e-mails. -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
Am 25.02.2015 um 23:23 schrieb Yves Goergen: Am 25.02.2015 um 23:04 schrieb Dave Warren: I second this. Either go all the way, or don't do it, it's worse to leave users with a false sense of security. A mentality of The virus scanner says it's safe, so it won't do any harm is exceedingly dangerous. The virus scanner doesn't say anything at all that's not the point if you tell a user we san for malware he feels more secure compared to saying it's your own risk what you open or not and since anybody with technical understanding knows that *no virus scanner at all* will have fast enough signatures to block recent malware and so just don't allow attachments wich can be executed by click in the mail-client signature.asc Description: OpenPGP digital signature
RE: Blocking .exe in zips (was Re: Lots of Polish spam)
That's what I did. I went with Zendto also as David Jones recommended. It works great, and solves both the restricted file issue as well as an email size problem. It's not unusual for users to attach half a dozen photos to a message these days and never realize they're 8-10 MB each... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -Original Message- From: Yves Goergen [mailto:nospam.l...@unclassified.de] Sent: Wednesday, February 25, 2015 1:28 PM To: Dave Warren; users@spamassassin.apache.org Subject: Re: Blocking .exe in zips (was Re: Lots of Polish spam) Am 25.02.2015 um 23:04 schrieb Dave Warren: On 2015-02-25 12:18, David F. Skoll wrote: So far, no major complaints. The few who really need to send such files rename them to .ex_ before zipping them up. We have a fairly large userbase (more than 140,000) so I think we would have heard lots of complaints by now if people really couldn't live with the policy. Seconded. I run a small hosting company with email for hundreds of clients, I've had a grand total of 0 complaints about blocking EXE, SCR, COM and similar types. We maybe get one inquiry per year about it, but no one has ever had a problem with .ex_ solutions, and they generally understand and appreciate the approach. It scales up to large installations as well, Google blocks executable files (even if zipped) too, and they seem to be doing alright in the email world: https://support.google.com/mail/answer/6590?hl=en That's an interesting point, I wouldn't have thought it could work. I was thinking about installing a private file sharing website for our users already (ad-free and with authentication only), so that could go together well with an announcement that executable files would no longer be allowed in e-mails. -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
From: Yves Goergen nospam.l...@unclassified.de Sent: Wednesday, February 25, 2015 4:15 PM To: users@spamassassin.apache.org Subject: Re: Lots of Polish spam Am 25.02.2015 um 20:42 schrieb Bill Cole: On 24 Feb 2015, at 17:06, Yves Goergen wrote: I can't block all archives with executable files in them. Then in all seriousness: why bother filtering email specifically for malware? Email is an inherently untrustworthy transport medium. Any sort of executable received via email that is not cryptographically signed by a trusted sender should be considered unsafe to run. If an executable is signed by a trusted sender, it can just as easily be encrypted to protect it from detection as an executable. If your users believe that you are providing them a valuableservice by allowing transport of executables via email, they are mistaken. You are putting them at unnecessary risk. I fully understand you, but tell that end users. They're already happy if they manage to get an e-mail with an attached file sent out. I've more than once thought about shutting down the FTP service due to repeated issues with it, requiring that users manage their files through SFTP. But FTP is still the most-used access protocol and the average webmaster(!) doesn't care or know about it all. Your objection also applies to unencrypted HTTP downloads, BTW. Check out http://zendto.com Setup a bounce message that points your internal users to use Zendto when it blocks a file by type or size.
Re: Lots of Polish spam
On 2015-02-25 14:23, Yves Goergen wrote: Am 25.02.2015 um 23:04 schrieb Dave Warren: I second this. Either go all the way, or don't do it, it's worse to leave users with a false sense of security. A mentality of The virus scanner says it's safe, so it won't do any harm is exceedingly dangerous. The virus scanner doesn't say anything at all. It is just an additional effort to keep unwanted e-mails away, just like the spam filter. Nobody claimed that there is any guarantee associated with it, not even for false rejects. Considering what still passes the filters this should quickly become obvious. You're thinking like a techie. Don't do that. When an end user becomes aware that there is a malware filter or antivirus, they will assume it works, and since malware and viruses are filtered, that which is not filtered must be safe. Users are stupid; this is why we're employed. Understand them, and build systems that set appropriate expectations and encourage the correct behaviour. If you're handing people a dangerous weapon, don't tell them all the reasons it's safe, tell them all the reasons it's dangerous even if there are a few safeguards. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: Lots of Polish spam
On 02/25/2015 01:42 AM, Alex Regan wrote: Hi, On 02/24/2015 07:06 PM, Reindl Harald wrote: Am 25.02.2015 um 00:56 schrieb Alex Regan: Sophos reports it as Troj/Tinba-O, like most others on virustotal.com ClamAV does not detect anything suspicious. I really thought clamav was much better. Can you recommend a antivirus other than Sophos that works well with Linux/Fedora? Sophos is a no-go with Fedora, apparently as explained repeatly in this thread: ClamAV is a *fraemwork* and works well if you load the right signatures even SpamAssassin *is just a framework* without Bayes, URIBL, DNSBL and shared hash deployments far away from useable as a ready solution if you build up a spamfilter you can't just use anything out of the box and think you are done without invest in configuration and additional signatures as well as *learining* from real mail flow Yes, I *am* already using the additional signatures from sanesecurity and others. I've started to notice the efficacy suffering over the past months as users have been complaining and comments on this list (I assumed those that were commenting were also using the third-party signatures). I'm also just looking for a secondary scanner in addition to clamav to run in parallel to see how it compares... You may want to look into Cyren (was Commtouch) though it's NOT cheap. http://www.cyren.com/tl_files/downloads/CYREN-AntiVirus-for-Email.pdf also Dr. Web is suprisingly good for the price https://www.drweb.com/?lng=en I've also been using F-Prot for years and it catches quite a few corner cases and for the price it's well worth it. If anybody expects to get *cheap* multi-layer AV, forget it.
Re: Lots of Polish spam
W dniu 2015-02-24 o 19:22, Yves Goergen pisze: Am 24.02.2015 um 19:00 schrieb Jeremy McSpadden: Your better off to implement RBL at SMTP time, not SA. IMO Which MTA are you using ? Exim. But why should I do that? See my other message in this thread. RBLs make mistakes. But then, only one of them makes the mistake, not all. Are RBLs the only measure to fight spam today? How do these lists learn spam quickly if there is no other way to detect it? I'm not sure whether RBLs help here. These are some of the reports of recent messages: I'm guessing that you are getting botnet spam. I'm getting thousands of it per day since a couple weeks. http://pastebin.com/6zLjMtM8
Re: Lots of Polish spam
On 02/24/2015 09:28 PM, Yves Goergen wrote: Am 24.02.2015 um 19:56 schrieb Axb: - Please post missed spam samples in pastebin.com - do not post samples to mailing lists It's too many to process them individually in pastebin. Here's an archive with ~60 messages in files: https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view ZIP password: spam (Google thinks there's a virus in it so I needed to encrypt it.) didn't need a password to extract but... whatever format those .eml are in, none of text editors was able to handle them so that didn't help. - What plugins are you using? (pls specify: Razor, Pyzor, DCC, etc) neither of thsoe are installed by default so you ma want to look into them. RAZR/PYZOR DCCC will make a huge difference. Didn't change whatever comes as a standard. - Are you handling mail for a company, personal email, ISP, one domain, many domains, etc? It's the mail server for a small web hosting service with multiple domains and users. I don't know whether any of them wishes to receive Polish messages. I'd definitely suggest you enable the Spamhaus SURBL rules. I know german/austrian/swiss mail admins seems to have a problem with Spamhaus and prefer to trust the manitu RBL, yet, for my traffic, would be riddled with FPs while Spamhaus has been superb for the last 14 years. Potential FPs have always been fixed VERY fast and the hit rate can't be beat... but then whatever works... Last but not least, get your Bayes setup running and it will give you the extra edge. h2h Axb
Re: Lots of Polish spam
On 02/24/2015 10:32 PM, Kris Deugau wrote: Yves Goergen wrote: Hello, for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messages have a .pl domain as sender address, others not. The sending hosts have all kinds of TLDs. Most messages have only a very short or empty body (a few words at maximum). Almost all messages contain a .zip attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught by clamav, but I haven't looked into any of these archives yet. These are almost certainly viruses. Upload one or two of the .zip files to virustotal.com to check against a long list of AV scanners. Any Windows executable that I find in a .zip file attached to a random message I automatically consider very suspect at best. I don't waste time trying to find out what the executable actually does, I just add a basic hash signature to ClamAV and move on. I've nearly given up on reporting these upstream to the ClamAV maintainers as well; I've got samples closing on two years old that still aren't flagged by stock signatures. :/ ClamAV has become a framework... and atm, you can open a a bottle of bubbly if the official sigs actually detect anything. Take a look at the Sanesecurity's FoxHole sigs http://sanesecurity.com/foxhole-databases/ foxhole_generic.cdb foxhole_filename.cdb have been very reliable, in all ways. Axb
Re: Lots of Polish spam
Yves Goergen wrote: Hello, for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messages have a .pl domain as sender address, others not. The sending hosts have all kinds of TLDs. Most messages have only a very short or empty body (a few words at maximum). Almost all messages contain a .zip attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught by clamav, but I haven't looked into any of these archives yet. These are almost certainly viruses. Upload one or two of the .zip files to virustotal.com to check against a long list of AV scanners. Any Windows executable that I find in a .zip file attached to a random message I automatically consider very suspect at best. I don't waste time trying to find out what the executable actually does, I just add a basic hash signature to ClamAV and move on. I've nearly given up on reporting these upstream to the ClamAV maintainers as well; I've got samples closing on two years old that still aren't flagged by stock signatures. :/ -kgd
Re: Lots of Polish spam
Am 24.02.2015 um 19:56 schrieb Axb: - Please post missed spam samples in pastebin.com - do not post samples to mailing lists It's too many to process them individually in pastebin. Here's an archive with ~60 messages in files: https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view ZIP password: spam (Google thinks there's a virus in it so I needed to encrypt it.) - What SA version are you using? and on what operating system? 3.4.0 on Ubuntu 14.04 - How are you using SA? (pls specify: amavis, MIMEDefang, a milter, Mailscanner, procmail, Fuglu, etc, etc) Configured as scanner from Exim 4.82 - Are you using SA in a PC/notebook? or on a server? On a public web/mail server - What plugins are you using? (pls specify: Razor, Pyzor, DCC, etc) Didn't change whatever comes as a standard. - Are you handling mail for a company, personal email, ISP, one domain, many domains, etc? It's the mail server for a small web hosting service with multiple domains and users. I don't know whether any of them wishes to receive Polish messages. -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
Hi, for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messages have a .pl domain as sender address, others not. The sending hosts have all kinds of TLDs. Most messages have only a very short or empty body (a few words at maximum). Almost all messages contain a .zip attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught by clamav, but I haven't looked into any of these archives yet. I have a number of mime_header_checks rules that reject unwanted file types. This can also be done with amavisd. Does anyone know/think it would be a good idea to add .pdf.zip to the mime types reject list? Has anyone seen a real example that wasn't a virus? SpamAssassin doesn't seem to be too successful in filtering them out. I set up that mailbox to reject anything beyond 10 points. Almost all messages stay under that limit. Only occasionally, a few messages are rejected with scores up to around 15. (Other regular spam can easily reach scores in the 50s.) What about ok_locales or ok_languages ? Is that reliable? Thanks, Alex
Re: Lots of Polish spam
On Tue, 24 Feb 2015, Yves Goergen wrote: for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. SpamAssassin doesn't seem to be too successful in filtering them out. Does anybody have an idea how to stop that? Are there special rule sets for that? If you don't have any users who speak Polish, then Bayes would do a good job catching them. I get a lot of spam in Chinese, Portuguese and Spanish and it all scores BAYES_999. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An operating system design that requires a system reboot in order to install a document viewing utility does not earn my respect. --- 10 days until Dawn reaches Ceres
Re: Lots of Polish spam
On 02/24/2015 06:35 PM, Yves Goergen wrote: Hello, for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messages have a .pl domain as sender address, others not. The sending hosts have all kinds of TLDs. Most messages have only a very short or empty body (a few words at maximum). Almost all messages contain a .zip attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught by clamav, but I haven't looked into any of these archives yet. SpamAssassin doesn't seem to be too successful in filtering them out. I set up that mailbox to reject anything beyond 10 points. Almost all messages stay under that limit. Only occasionally, a few messages are rejected with scores up to around 15. (Other regular spam can easily reach scores in the 50s.) Does anybody have an idea how to stop that? Are there special rule sets for that? I could provide samples of those messages if somebody is interested in it. These messages include my SpamAssassin headers so the matching rules can be seen. Unfortunately I'm not an SA wizard so I can't make new rules for such things. Could you please tell us more about your setup so we get a better picture... - Please post missed spam samples in pastebin.com - do not post samples to mailing lists - What SA version are you using? and on what operating system? - How are you using SA? (pls specify: amavis, MIMEDefang, a milter, Mailscanner, procmail, Fuglu, etc, etc) - Are you using SA in a PC/notebook? or on a server? - What plugins are you using? (pls specify: Razor, Pyzor, DCC, etc) - Are you handling mail for a company, personal email, ISP, one domain, many domains, etc? thx PS: Template extracted from: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/emailed/sa-list-template.txt?view=co
Lots of Polish spam
Hello, for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messages have a .pl domain as sender address, others not. The sending hosts have all kinds of TLDs. Most messages have only a very short or empty body (a few words at maximum). Almost all messages contain a .zip attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught by clamav, but I haven't looked into any of these archives yet. SpamAssassin doesn't seem to be too successful in filtering them out. I set up that mailbox to reject anything beyond 10 points. Almost all messages stay under that limit. Only occasionally, a few messages are rejected with scores up to around 15. (Other regular spam can easily reach scores in the 50s.) Does anybody have an idea how to stop that? Are there special rule sets for that? I could provide samples of those messages if somebody is interested in it. These messages include my SpamAssassin headers so the matching rules can be seen. Unfortunately I'm not an SA wizard so I can't make new rules for such things. -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
Usually scores are 6 low 10 high. Are you running any RBLs ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.nethttp://www.fluxlabs.net/ | Endless Solutions Office : 850-250-5590x501tel:850-250-5590;501 | Cell : 850-890-2543tel:850-890-2543 | Fax : 850-254-2955tel:850-254-2955 On Feb 24, 2015, at 11:35 AM, Yves Goergen nospam.l...@unclassified.demailto:nospam.l...@unclassified.de wrote: Hello, for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messages have a .pl domain as sender address, others not. The sending hosts have all kinds of TLDs. Most messages have only a very short or empty body (a few words at maximum). Almost all messages contain a .zip attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught by clamav, but I haven't looked into any of these archives yet. SpamAssassin doesn't seem to be too successful in filtering them out. I set up that mailbox to reject anything beyond 10 points. Almost all messages stay under that limit. Only occasionally, a few messages are rejected with scores up to around 15. (Other regular spam can easily reach scores in the 50s.) Does anybody have an idea how to stop that? Are there special rule sets for that? I could provide samples of those messages if somebody is interested in it. These messages include my SpamAssassin headers so the matching rules can be seen. Unfortunately I'm not an SA wizard so I can't make new rules for such things. -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
Am 24.02.2015 um 18:39 schrieb Jeremy McSpadden: Usually scores are 6 low 10 high. Are you running any RBLs ? I have the default settings plus the attached custom configuration. There are several RBLs among them. -- Yves Goergen http://unclassified.software # BAYES #auto_whitelist_path /var/spool/spamd/auto-whitelist bayes_path /var/spool/spamd/bayes lock_method flock # required_score 5.0 use_bayes 0 # bayes_auto_learn 1 bayes_ignore_header X-Spam-Score bayes_ignore_header X-Spam-dotforward-Info bayes_ignore_header X-Spam-Report # Temporarily disabled #bayes_auto_learn_threshold_spam 8.0 # default: 12.0 score BAYES_00 (1.5) score BAYES_05 (0.3) score BAYES_20 (0) score BAYES_40 (0) score BAYES_50 (0) score BAYES_60 (0.2) score BAYES_80 (0.5) score BAYES_95 (0.8) score BAYES_99 (1.0) clear_report_template report Content analysis details: report _SUMMARY_ # WHITELIST / BLACKLIST blacklist_from i...@info.globc-data.info blacklist_from i...@de.globc-data.info blacklist_from i...@i.glbdata.info blacklist_from i...@de.glbdata.info blacklist_from i...@i.dbc-data.info blacklist_from i...@i.gc-dbadressen.info blacklist_from tlakulamessa...@mail2southafrica.com blacklist_from john@*initrust* blacklist_from richard*@sehrwichtig.com # Emirates hält sich nicht an die Abmeldung von Werbung und wird deshalb # komplett blockiert. 2010-04-15 YG blacklist_from emirateshighstreet@e.emirates.travel # Immobilienwerbung, 2011-06-16 YG blacklist_from i...@timepost02b.com # eBay Fälschung, 2011-06-22 YG blacklist_from mem...@ehay.com # PayPal-Fälschung, 2011-07-02 YG blacklist_from info...@paiypal.com # Newsletter-Abmeldung funktioniert nicht, es kommt nur mehr Spam, 2013-04-22 YG blacklist_from *@lists.techtarget.com # DNS-BLACKLISTS # rfc-ignorant is useless for the real world, it doesn't catch spam but everything else! score DNS_FROM_RFC_ABUSE 0 score DNS_FROM_RFC_POST 0 score DNS_FROM_RFC_WHOIS 0 # Increase score for DNS list rules score URIBL_BLACK (4) score RCVD_IN_BL_SPAMCOP_NET (2.5) #score RCVD_IN_SORBS_WEB (2) #score RCVD_IN_WHOIS_BOGONS (1) #score RCVD_IN_SORBS_DUL (2) score DNS_FROM_RFC_ABUSE (1) # Temporary trouble with false positives from those rules: #score URIBL_RED 0 #score URIBL_GREY 0 #score URIBL_BLACK 0 # SURBL policy change as of 2008-11-10 score URIBL_AB_SURBL 0 score URIBL_JP_SURBL 0 score URIBL_OB_SURBL 0 score URIBL_PH_SURBL 0 score URIBL_SC_SURBL 0 score URIBL_WS_SURBL 0 # YG 2014-12-26 Spamhaus deaktiviert score RCVD_IN_ZEN 0 score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 # 2015-01-12 NiX-Spam-DNSBL ix.dnsbl.manitu.net hinzugefügt # Anleitung: http://www.heise.de/ix/foren/S-nixspam-dnsbl-in-spamassassin/forum-48292/msg-6404906/read/ header NIX_SPAM eval:check_rbl('nix-spam','ix.dnsbl.manitu.net') describe NIX_SPAM Listed in NIX_SPAM DNSBL (thanks to heise.de) tflags NIX_SPAM net score NIX_SPAM 3.0 # SCORE ADJUSTMENTS score FORGED_HOTMAIL_RCVD 0.0 score DEAR_FRIEND (2) score DRUGS_ERECTILE (2) # Looks like spam score RCVD_IN_DNSWL_LOW 0 # Enable bounce checks by adding this line: whitelist_bounce_relays dotforward.de score ANY_BOUNCE_MESSAGE 7 # YG 2011-07-06 (+1), 2015-01-12 (+0.5) score LOTS_OF_MONEY (1.5) # YG 2014-03-09 score KHOP_BIG_TO_CC 1 # MY PATTERNS # Uhren kaufen uri YG_URI_UHREN /redir\.ec\/[a-z]+/i score YG_URI_UHREN 5 # GlobData spam uri YG_URI_GLOBDATA /www\.(gl(ob)?-?(adressen|data)|(db(firmen)?|pr-)adressen|db-?glob(al)?|(bc|pr?o?|info)-aziende)\.(com|net|info)(\/.*)?/i score YG_URI_GLOBDATA 5 body __YG_GLOBDATA_01 /Adressen/ body __YG_GLOBDATA_02 /Adresskataloge/ body __YG_GLOBDATA_03 /Bewerbens/ body __YG_GLOBDATA_04 /Branche/ body __YG_GLOBDATA_05 /Datenbanken/ body __YG_GLOBDATA_06 /Datenbasis/ body __YG_GLOBDATA_07 /deutsche[nr]? Firmen/ body __YG_GLOBDATA_08 /Dienstleistungen/ body __YG_GLOBDATA_09 /Firma/ body __YG_GLOBDATA_10 /Firmen/ body __YG_GLOBDATA_11 /Firmenangaben/ body __YG_GLOBDATA_12 /gewinnen/ body __YG_GLOBDATA_13 /Glob[ -]*Contact/ body __YG_GLOBDATA_14 /Global[ -]*Contact/ body __YG_GLOBDATA_15 /GC[ -]*GROUP/ body __YG_GLOBDATA_16 /Kampagnen/ body __YG_GLOBDATA_17 /kostenlose/ body __YG_GLOBDATA_18 /personalisierte/ body __YG_GLOBDATA_19 /Postanschrift/ body __YG_GLOBDATA_20 /seriöses Geld/ body __YG_GLOBDATA_21 /Unternehmen/ body __YG_GLOBDATA_22 /verdienen/ body __YG_GLOBDATA_23 /Versendens/ body __YG_GLOBDATA_24 /Werbekampagnen/ body __YG_GLOBDATA_25 /Werbung/ body __YG_GLOBDATA_26 /Zielgruppen/ meta YG_GLOBDATA_5 (__YG_GLOBDATA_01 + __YG_GLOBDATA_02 + __YG_GLOBDATA_03 + __YG_GLOBDATA_04 + __YG_GLOBDATA_05 + __YG_GLOBDATA_06 + __YG_GLOBDATA_07 + __YG_GLOBDATA_08 + __YG_GLOBDATA_09 + __YG_GLOBDATA_10 + __YG_GLOBDATA_11 + __YG_GLOBDATA_12 + __YG_GLOBDATA_13 + __YG_GLOBDATA_14 +
Re: Lots of Polish spam
Am 24.02.2015 um 18:58 schrieb Yves Goergen: Am 24.02.2015 um 18:39 schrieb Jeremy McSpadden: Usually scores are 6 low 10 high. Are you running any RBLs ? I have the default settings plus the attached custom configuration. There are several RBLs among them RBL's long before the contentfilter! doing that properly and lot's of spam won't happen independent of the content and language postscreen_dnsbl_ttl = 5m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.[18;19;20]*-2 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 hostkarma.junkemailfilter.com=127.0.0.1*-2 signature.asc Description: OpenPGP digital signature
Re: Lots of Polish spam
Am 24.02.2015 um 19:00 schrieb Jeremy McSpadden: Your better off to implement RBL at SMTP time, not SA. IMO Which MTA are you using ? Exim. But why should I do that? See my other message in this thread. RBLs make mistakes. But then, only one of them makes the mistake, not all. Are RBLs the only measure to fight spam today? How do these lists learn spam quickly if there is no other way to detect it? I'm not sure whether RBLs help here. These are some of the reports of recent messages: 0.0 FSL_HELO_NON_FQDN_1No description available. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (disportsk33[at]gmx.pl) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (disportsk33[at]gmx.pl) 0.9 SPF_FAIL SPF: Senderechner entspricht nicht SPF-Datensatz (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=disportsk33%40gmx.pl;ip=188.10.118.145;r=mond2] 0.0 HTML_MESSAGE BODY: Nachricht enthält HTML 0.0 TVD_SPACE_RATIONo description available. 1.0 XPRIO Has X-Priority header 2.8 TVD_SPACE_RATIO_MINFP No description available. - 0.5 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (ravennvgszluotpaa[at]wp.pl) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (teaspoonsfulut2[at]wp.pl) 0.9 SPF_FAIL SPF: Senderechner entspricht nicht SPF-Datensatz (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=teaspoonsfulut2%40wp.pl;ip=115.246.74.136;r=mond2] 0.0 HTML_MESSAGE BODY: Nachricht enthält HTML 1.0 XPRIO Has X-Priority header - 0.2 CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or Generic rPTR 0.9 SPF_FAIL SPF: Senderechner entspricht nicht SPF-Datensatz (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=operan37%40wp.pl;ip=95.233.166.252;r=mond2] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (operan37[at]wp.pl) 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL [95.233.166.252 listed in psbl.surriel.com] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (bartekmamut[at]wp.pl) 0.0 HTML_MESSAGE BODY: Nachricht enthält HTML 1.3 RCVD_IN_RP_RNBLRBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [95.233.166.252 listed in bl.score.senderscore.com] 0.0 TVD_SPACE_RATIONo description available. 1.0 XPRIO Has X-Priority header 2.7 TVD_SPACE_RATIO_MINFP No description available. - 0.2 CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or Generic rPTR 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL [195.223.116.82 listed in psbl.surriel.com] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (panellingset52[at]gmail.com) 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available. [195.223.116.82 listed in bb.barracudacentral.org] 1.0 SPF_SOFTFAIL Senderechner entspricht nicht SPF-Datensatz (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (panellingset52[at]gmail.com) 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.7 MPART_ALT_DIFF BODY: Nachrichtentext im Text- und HTML-Format unterscheiden sich 0.0 HTML_MESSAGE BODY: Nachricht enthält HTML 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: Senderechner ist ein ungesicherter WWW-Server [195.223.116.82 listed in dnsbl.sorbs.net] 0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different 1.0 XPRIO Has X-Priority header - 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (beelines89[at]wp.pl) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (beelines89[at]wp.pl) 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.9 SPF_FAIL SPF: Senderechner entspricht nicht SPF-Datensatz (fail)
Re: Lots of Polish spam
Am 24.02.2015 um 19:15 schrieb Yves Goergen: Am 24.02.2015 um 19:02 schrieb Reindl Harald: RBL's long before the contentfilter! Do you mean to reject messages as soon as a single RBL triggers it? That's definitely not what I want to do! I've had way too much trouble with others doing that. RBLs get points and the score decides. Never let any single check decide alone. re-read my message again and try to understand it this is *not* a single check this is *scoring* postscreen_dnsbl_ttl = 5m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce (...) What is that? Google would have leaded to http://www.postfix.org/POSTSCREEN_README.html b.barracudacentral.org=127.0.0.2*7 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 These are evil... really? maybe you should qualify tips *after* you understood What is that? * the reject score is 8 * b.barracudacentral.org=127.0.0.2*7 has 7 points * zen.spamhaus.org with response 127.0.0.10 or 127.0.0.11 is PBL * zen.spamhaus.org with repsonse 127.0.0.4-127.0.0.7 is XBL * zen.spamhaus.org with response 127.0.0.3 is CSS and only 4 points * zen.spamhaus.org with repsonse 127.0.0.2 is SBL and only 3 points * you missed the DNSWL's with negative scores completly ___ AGAIN: that is a score-based reject including a ton of whitelists postscreen_dnsbl_ttl = 5m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.[18;19;20]*-2 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 hostkarma.junkemailfilter.com=127.0.0.1*-2 signature.asc Description: OpenPGP digital signature
Re: Lots of Polish spam
Am 24.02.2015 um 19:02 schrieb Reindl Harald: RBL's long before the contentfilter! Do you mean to reject messages as soon as a single RBL triggers it? That's definitely not what I want to do! I've had way too much trouble with others doing that. RBLs get points and the score decides. Never let any single check decide alone. postscreen_dnsbl_ttl = 5m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce (...) What is that? b.barracudacentral.org=127.0.0.2*7 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 These are evil... -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
W dniu 2015-02-24 o 19:56, Axb pisze: [...] - Please post missed spam samples in pastebin.com - do not post samples to mailing lists Yes, please share it, I'll take a look what kind of spamt it is.
Re: Lots of Polish spam
Am 24.02.2015 um 22:00 schrieb Axb: On 02/24/2015 09:28 PM, Yves Goergen wrote: https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view ZIP password: spam (Google thinks there's a virus in it so I needed to encrypt it.) didn't need a password to extract but... whatever format those .eml are in, none of text editors was able to handle them so that didn't help. If you weren't asked for a password, then the files were not decrypted. If you can decrypt them (I used 7-Zip to create the archive, but ZIP encryption seems incompatible between programs, could create a .7z archive as well, but these seem to be unsupported and unwanted by most, despite their highly superiour performance), then you'll have plain text files as Thunderbird received and exported them. Nothing unusual. - What plugins are you using? (pls specify: Razor, Pyzor, DCC, etc) neither of thsoe are installed by default so you ma want to look into them. RAZR/PYZOR DCCC will make a huge difference. Okay, so I'll take a look into what they are and how to install and configure them. I'd definitely suggest you enable the Spamhaus SURBL rules. They have strange TOS that actually forbid using them for more than a single mailbox. Otherwise you need to pay for it. My data centre provider wrote an interesting posting about the current situation in their closed customer forums. They're in a bad position as long as customers still access Spamhaus services from their network. Nobody should support them anymore, really. They're evil. Last but not least, get your Bayes setup running and it will give you the extra edge. I once had Bayes enabled, but since it's an unattended server system, it can only learn from itself. And that had worked really bad in the past. So I disabled it completely last time I set it up. How should Bayes work if nobody gives feedback about the messages from their Thunderbird clients? And I've tried creating rules for those Polish words, but it's different words all the time. I wonder whether they actually mean something. And it's only very few words per messages, many even with corrupt encoding including HTML entities. Again, how could Bayes help here? -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
Am 24.02.2015 um 22:49 schrieb Alex Regan: for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messages have a .pl domain as sender address, others not. The sending hosts have all kinds of TLDs. Most messages have only a very short or empty body (a few words at maximum). Almost all messages contain a .zip attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught by clamav, but I haven't looked into any of these archives yet. I have a number of mime_header_checks rules that reject unwanted file types. This can also be done with amavisd. Does anyone know/think it would be a good idea to add .pdf.zip to the mime types reject list? Has anyone seen a real example that wasn't a virus? well, if i right click ona PDF file at my KDE desktop the context menu offers a simple option to compress it as zip archive resulting in origin-name.pdf.zip here you go: http://sanesecurity.com/usage/signatures/ the zip is not the problem, the content is interesting as already mentioned: http://sanesecurity.com/foxhole-databases/ signature.asc Description: OpenPGP digital signature
Re: Lots of Polish spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 24-02-15 22:56, Yves Goergen wrote: Am 24.02.2015 um 22:00 schrieb Axb: On 02/24/2015 09:28 PM, Yves Goergen wrote: https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view ZIP password: spam (Google thinks there's a virus in it so I needed to encrypt it.) didn't need a password to extract but... whatever format those .eml are in, none of text editors was able to handle them so that didn't help. If you weren't asked for a password, then the files were not decrypted. If you can decrypt them (I used 7-Zip to create the archive, but ZIP encryption seems incompatible between programs, could create a .7z archive as well, but these seem to be unsupported and unwanted by most, despite their highly superiour performance), then you'll have plain text files as Thunderbird received and exported them. Nothing unusual. - What plugins are you using? (pls specify: Razor, Pyzor, DCC, etc) neither of thsoe are installed by default so you ma want to look into them. RAZR/PYZOR DCCC will make a huge difference. Okay, so I'll take a look into what they are and how to install and configure them. I'd definitely suggest you enable the Spamhaus SURBL rules. They have strange TOS that actually forbid using them for more than a single mailbox. Otherwise you need to pay for it. My data centre provider wrote an interesting posting about the current situation in their closed customer forums. They're in a bad position as long as customers still access Spamhaus services from their network. Nobody should support them anymore, really. They're evil. Last but not least, get your Bayes setup running and it will give you the extra edge. I once had Bayes enabled, but since it's an unattended server system, it can only learn from itself. And that had worked really bad in the past. So I disabled it completely last time I set it up. How should Bayes work if nobody gives feedback about the messages from their Thunderbird clients? And I've tried creating rules for those Polish words, but it's different words all the time. I wonder whether they actually mean something. And it's only very few words per messages, many even with corrupt encoding including HTML entities. Again, how could Bayes help here? The problem here that you're stating it's an unattended server system. E-mail and spam change all the time, you cannot have great filtering without adjusting to new trends and threats. Using bayesian filtering is an easy way to improve detection, because you only need to decide whether mail is ham or spam, and the bayes engine does most of the other hard work for you. If you're not going to put in some effort to either train a bayesian filter for your users, of enable them to train it themselves (this has some risks you should be aware of), your filtering won't improve. But on the other hand: trying to write your own SA rules in order to block mails in a language you don't even understand is a lot harder. Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJU7PebAAoJEJPfMZ19VO/14HAP/A57vNLDgHjmt0JvBi98RAnY Jez138atfRynhLIFxy2w8MDwWy2HWSi6v/NpnXMVjZ2DYmyMBrJNC1Tn2aYrM3Mu uxPxfOTVNlyG2FjY3iw8XwvlSJ28shcuU8WrbTrvvD81Mv2UyBVhsaNcFNNss5Gg PATgOtU8IIn/sqb85uLu0DkyWR7LbM3SMfmNLQ1O5uRV+9212vFfHSS6Bi8/XdJ0 KCwxBlQrI8wb1hMPzPUGFa39ke307V6HugOZtSX/JkM4Ub8vSpscvvi14Up3Cde3 WlCod8SPf7cox1jwt5aahLNhESFp9fAeXHA+QCpfBAq2wiGTVFnOhm3EqE93JMw8 Btt51cTzeaIW58ho6mTAU56IBEb6phPI7mCXtcIDbtJ6WtHNWv9ozYdyp/3aQB6Z gfe2DxzuF9Nx9g3jimyCHSeh7/ZOHw5i3U5sp77lvQ1a+B0UEf5cW6DkG/flXnRg o6j2yWfId0elYU+h5K8EMeWzOCK8fv02W5PIsBzVRMv9VR15/22IdOdger1gAYWZ uyttaqOVJkN8FREO4jo1JO4Si6BJFTu3c4bWLeFbYcx2s/7RY0jQeE59B8RWBa+l CHYLOU8IhXSBKlMyvn2A6cnDPr/lyk1aeZzL0eSVGHXXyU7b0VdEYAH7K9LzEpXK EHRkis0DOJAomQrjNuvj =TuOX -END PGP SIGNATURE-
Re: Lots of Polish spam
On Tue, 24 Feb 2015, Alex Regan wrote: Does anyone know/think it would be a good idea to add .pdf.zip to the mime types reject list? Has anyone seen a real example that wasn't a virus? Pretty much *any* double-extension filename is suspect. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Markley's Law (variant of Godwin's Law): As an online discussion of gun owners' rights grows longer, the probability of an ad hominem attack involving penis size approaches 1. --- 10 days until Dawn reaches Ceres
Re: Lots of Polish spam
On Tue, 24 Feb 2015 22:56:08 +0100 Yves Goergen wrote: Am 24.02.2015 um 22:00 schrieb Axb: I'd definitely suggest you enable the Spamhaus SURBL rules. They have strange TOS that actually forbid using them for more than a single mailbox. Otherwise you need to pay for it. That's not what it says on their websites, SURBL has a 1000 user limit, and spamhaus has limits on lookups. My data centre provider wrote an interesting posting about the current situation in their closed customer forums. They're in a bad position as long as customers still access Spamhaus services from their network. They have to pay because they're a business that sells email. If you have your own mail server with a dedicated IP address, and do your own DNS lookups, I don't you'd have to pay unless you're selling a commercial email service. The problem some people run into is sending their dns queries through a shared dns cache which aggregates look-ups on a single IP address.
Re: Lots of Polish spam
Hi, On 02/24/2015 07:06 PM, Reindl Harald wrote: Am 25.02.2015 um 00:56 schrieb Alex Regan: Sophos reports it as Troj/Tinba-O, like most others on virustotal.com ClamAV does not detect anything suspicious. I really thought clamav was much better. Can you recommend a antivirus other than Sophos that works well with Linux/Fedora? Sophos is a no-go with Fedora, apparently as explained repeatly in this thread: ClamAV is a *fraemwork* and works well if you load the right signatures even SpamAssassin *is just a framework* without Bayes, URIBL, DNSBL and shared hash deployments far away from useable as a ready solution if you build up a spamfilter you can't just use anything out of the box and think you are done without invest in configuration and additional signatures as well as *learining* from real mail flow Yes, I *am* already using the additional signatures from sanesecurity and others. I've started to notice the efficacy suffering over the past months as users have been complaining and comments on this list (I assumed those that were commenting were also using the third-party signatures). I'm also just looking for a secondary scanner in addition to clamav to run in parallel to see how it compares... Thanks, Alex
Re: Lots of Polish spam
Am 24.02.2015 um 22:56 schrieb Yves Goergen: Last but not least, get your Bayes setup running and it will give you the extra edge. I once had Bayes enabled, but since it's an unattended server system, it can only learn from itself. And that had worked really bad in the past. So I disabled it completely last time I set it up. How should Bayes work if nobody gives feedback about the messages from their Thunderbird clients? And I've tried creating rules for those Polish words, but it's different words all the time. I wonder whether they actually mean something. And it's only very few words per messages, many even with corrupt encoding including HTML entities. Again, how could Bayes help here? starting with 200 spam and 200 ham samples bayes helps *a lot* and running any contentfilter without bayes is pure nonsense a spamfilter si not about that is spam because this - it#s about scoring and bayes is a important part of the scoring just set it up with a central bayes-db and feed it only with the samples *you* got and anybody would benefit with sensible RBL scoring, SpamAssassin including bayes and unofficial ClamAV signatures you block around 95% of all junk without invest any second of work after setup and combined with remote-hashing services into the score mix you get up to 98% with nearly zero false positives what you have is a dumb contentfilter without bayes and useable clamav signatures with no RBL scroing before the contentfilter - that can't work at all signature.asc Description: OpenPGP digital signature
Re: Lots of Polish spam
Am 24.02.2015 um 23:18 schrieb John Hardin: On Tue, 24 Feb 2015, Alex Regan wrote: Does anyone know/think it would be a good idea to add .pdf.zip to the mime types reject list? Has anyone seen a real example that wasn't a virus? Pretty much *any* double-extension filename is suspect on Windows systems .tar.gz .tar.bz2 .tar.xz signature.asc Description: OpenPGP digital signature
Re: Lots of Polish spam
On Feb 24, 2015, at 15:24, Axb axb.li...@gmail.com wrote: *.pdf.zip is a dangerous one to block on sight - FP risk is huge Really? I've never seen a .pdf.zip that was legitimate.
Re: Lots of Polish spam
On February 24, 2015 11:06:31 PM Yves Goergen nospam.l...@unclassified.de wrote: From the description, they only block by file name pattern. I can't block all archives with executable files in them. People need to send those files from time to time. And they know that a plain attached .exe won't get through filters, so they put it in a .zip archive. If the mail server now blocks all .exe in .zip without actually scanning the contents, they're going to complain. pay attention to clamav max unpack 16 levels of recursive zip, that means if a exe file is recursive zip packed 17 times it will not be a virus ? :) more serious, if a exe file is just attached to email and its clean, no blocking in clamav, does users not pay attention ? we are ofttopic, atleast i am
Re: Lots of Polish spam
Axb wrote: didn't need a password to extract but... whatever format those .eml are in, none of text editors was able to handle them so that didn't help. $ mkdir Spam; cd Spam $ 7z e -pspam ../Spam.zip Sophos reports it as Troj/Tinba-O, like most others on virustotal.com ClamAV does not detect anything suspicious. Mark
Re: Lots of Polish spam
Hi, Sophos reports it as Troj/Tinba-O, like most others on virustotal.com ClamAV does not detect anything suspicious. I really thought clamav was much better. Can you recommend a antivirus other than Sophos that works well with Linux/Fedora? Sophos is a no-go with Fedora, apparently. Thanks, Alex
Re: Lots of Polish spam
Am 25.02.2015 um 00:56 schrieb Alex Regan: Sophos reports it as Troj/Tinba-O, like most others on virustotal.com ClamAV does not detect anything suspicious. I really thought clamav was much better. Can you recommend a antivirus other than Sophos that works well with Linux/Fedora? Sophos is a no-go with Fedora, apparently as explained repeatly in this thread: ClamAV is a *fraemwork* and works well if you load the right signatures even SpamAssassin *is just a framework* without Bayes, URIBL, DNSBL and shared hash deployments far away from useable as a ready solution if you build up a spamfilter you can't just use anything out of the box and think you are done without invest in configuration and additional signatures as well as *learining* from real mail flow signature.asc Description: OpenPGP digital signature
Re: Lots of Polish spam
Am 24.02.2015 um 22:42 schrieb Axb: On 02/24/2015 10:32 PM, Kris Deugau wrote: These are almost certainly viruses. Upload one or two of the .zip files to virustotal.com to check against a long list of AV scanners. Didn't check it. Avira AntiVir (my desktop scanner) didn't notice any of these files while I created the archive. When scanning the files on demand, the scanner ends up in a life lock, not finishing. But it has found at least one malware until then. ClamAV has become a framework... and atm, you can open a a bottle of bubbly if the official sigs actually detect anything. Oh great. Now that I've finally set up ClamAV on the server, it's useless? At least it can detect the EICAR test signature, and occasionally I've seen it detecting other things, but I rarely get in touch with real malware so I didn't test that. Take a look at the Sanesecurity's FoxHole sigs From the description, they only block by file name pattern. I can't block all archives with executable files in them. People need to send those files from time to time. And they know that a plain attached .exe won't get through filters, so they put it in a .zip archive. If the mail server now blocks all .exe in .zip without actually scanning the contents, they're going to complain. -- Yves Goergen http://unclassified.software
Re: Lots of Polish spam
Am 24.02.2015 um 23:39 schrieb LuKreme: On Feb 24, 2015, at 15:24, Axb axb.li...@gmail.com wrote: *.pdf.zip is a dangerous one to block on sight - FP risk is huge Really? I've never seen a .pdf.zip that was legitimate and i sent hundrets which where by just right click on the pdf and chose add to zip archive origin.pdf.zip - and now? signature.asc Description: OpenPGP digital signature
Re: Lots of Polish spam
On 02/24/2015 11:39 PM, LuKreme wrote: On Feb 24, 2015, at 15:24, Axb axb.li...@gmail.com wrote: *.pdf.zip is a dangerous one to block on sight - FP risk is huge Really? I've never seen a .pdf.zip that was legitimate. KDE: right click on a blah.pdf compress as Zip Archive and bang: blah.pdf.zip I can imagine other Linux Desktops doing the same. Dunno about Windows or Apple
Re: Lots of Polish spam
On February 24, 2015 11:57:23 PM Axb axb.li...@gmail.com wrote: I can imagine other Linux Desktops doing the same. Dunno about Windows or Apple users is not asked for a filename, since the default seems fine :)
Re: Lots of Polish spam
W dniu 2015-02-24 o 21:28, Yves Goergen pisze: Am 24.02.2015 um 19:56 schrieb Axb: - Please post missed spam samples in pastebin.com - do not post samples to mailing lists It's too many to process them individually in pastebin. Here's an archive with ~60 messages in files: https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view ZIP password: spam (Google thinks there's a virus in it so I needed to encrypt it.) --- SCAN SUMMARY --- Known viruses: 4360435 Engine version: 0.98.5 Scanned directories: 0 Scanned files: 58 Infected files: 30 This is with a bunch of unofficial databases for clamav, without foxhole mentioned by Axb. With foxhole rules: --- SCAN SUMMARY --- Known viruses: 4360690 Engine version: 0.98.5 Scanned directories: 0 Scanned files: 58 Infected files: 50 Imho you should take a look at clamav configuration to reject such emails.
Re: Lots of Polish spam
On 02/24/2015 11:18 PM, John Hardin wrote: On Tue, 24 Feb 2015, Alex Regan wrote: Does anyone know/think it would be a good idea to add .pdf.zip to the mime types reject list? Has anyone seen a real example that wasn't a virus? Pretty much *any* double-extension filename is suspect. *.pdf.zip is a dangerous one to block on sight - FP risk is huge (got the t-shirt .-)
Re: Lots of Polish spam
Am 24.02.2015 um 23:06 schrieb Yves Goergen: Am 24.02.2015 um 22:42 schrieb Axb: ClamAV has become a framework... and atm, you can open a a bottle of bubbly if the official sigs actually detect anything. Oh great. Now that I've finally set up ClamAV on the server, it's useless? At least it can detect the EICAR test signature, and occasionally I've seen it detecting other things, but I rarely get in touch with real malware so I didn't test that again: do you your homework and visit http://sanesecurity.com/usage/signatures/ - it#s all available - you just to need it our pay someone setup the filter proper - a spamfilter is built up with a *lot* of pieces on different stages signature.asc Description: OpenPGP digital signature