Re: Need help with bobax rules

[Jeremy Fairbrass]

Are Henry's versions of these rules different to what Jack posted below, and if so, where can I find them? I'm still running SA 
3.1.8 (unable to upgrade yet) so I wouldn't receive them if you've pushed them to the 3.2 sa-update.


Cheers,
Jeremy



"Justin Mason" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]


for what it's worth, I just pushed Henry's version of Joe's rules into the
3.2.x sa-updates.

--j.

Jack Pepper writes:

Quoting Jeremy Fairbrass <[EMAIL PROTECTED]>:

> HI Jack,
> Any chance of sharing your rules for this?!
>
> Cheers,
> Jeremy

Sure:

score BOBAX_GEN_SPAM_2 1.800
header BOBAX_GEN_SPAM_2   ALL =~
/^Message-Id:[EMAIL PROTECTED]/m
describe BOBAX_GEN_SPAM_2   Has Bobax Generated Message-Id, type 2

score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM   ALL =~ /^Message-Id:.*EJXVWDA/m
describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id

One fellow suggested that it might be more efficient to do this:

score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM   Message-ID =~ /EJXVWDA/m
describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id

but I wasn't sure if SA would detect that the incorrect case on the
word "message-id" and then not realize the test, etc.  Any suggestions?

jp

--
Framework?  I don't need no steenking framework!


@fferent Security Labs:  Isolate/Insulate/Innovate
http://www.afferentsecurity.com

Re: Need help with bobax rules

[Michael Scheidell]

Justin Mason wrote:

http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified
  


bingo! thanks.
(wonder why do a rm on the sa-update-keys dir didn't fix that)


--
Michael Scheidell, CTO
Main: 561-999-5000, Office: 561-939-7259
> *| *SECNAP Network Security Corporation
Winner 2008 Technosium hot company award.
www.technosium.com/hotcompanies/ 


_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

_

Re: Need help with bobax rules

[Justin Mason]

http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified

--j.

Michael Scheidell writes:
> > From: Justin Mason <[EMAIL PROTECTED]>
> > Date: Wed, 16 Apr 2008 14:16:51 +0100
> > To: Jack Pepper <[EMAIL PROTECTED]>
> > Cc: 
> > Subject: Re: Need help with bobax rules
> > 
> > 
> > for what it's worth, I just pushed Henry's version of Joe's rules into the
> > 3.2.x sa-updates.
> 
> But did someone sign them right ?
> 
> [49696] dbg: gpg: release trusted key id list:
> 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
> 26C900A46DD40CD5AD24F6D7DEE01987265FA05B
> 0C2B1D7175B852C64B3CDC716C55397824F434CE
> 
> 49696] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf
> 
> [49657] dbg: gpg: gpg: Signature made Wed Apr 16 04:28:44 2008 CDT using RSA
> key ID 24F434CE
> [49657] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not
> cross-certified
> [49657] dbg: gpg: gpg: please see
> http://www.gnupg.org/faq/subkey-cross-certify.html for more information
> [49657] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1
> [49657] dbg: gpg: gpg: Can't check signature: General error
> error: GPG validation failed!
> The update downloaded successfully, but the GPG signature verification
> failed.
> channel: GPG validation failed, channel failed
> [49657] dbg: generic: cleaning up temporary directory/files
> [49657] dbg: diag: updates complete, exiting with code 4
> 
> 
> -- 
> Michael Scheidell, CTO
> >|SECNAP Network Security
> Winner 2008 Network Products Guide Hot Companies
> FreeBSD SpamAssassin Ports maintainer
> 
>  
> > --j.
> > 
> > Jack Pepper writes:
> >> Quoting Jeremy Fairbrass <[EMAIL PROTECTED]>:
> >> 
> >>> HI Jack,
> >>> Any chance of sharing your rules for this?!
> >>> 
> >>> Cheers,
> >>> Jeremy
> >> 
> >> Sure:
> >> 
> >> score BOBAX_GEN_SPAM_2 1.800
> >> header BOBAX_GEN_SPAM_2   ALL =~
> >> /^Message-Id:[EMAIL PROTECTED]/m
> >> describe BOBAX_GEN_SPAM_2   Has Bobax Generated Message-Id, type 2
> >> 
> >> score BOBAX_GEN_SPAM 1.800
> >> header BOBAX_GEN_SPAM   ALL =~ /^Message-Id:.*EJXVWDA/m
> >> describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id
> >> 
> >> One fellow suggested that it might be more efficient to do this:
> >> 
> >> score BOBAX_GEN_SPAM 1.800
> >> header BOBAX_GEN_SPAM   Message-ID =~ /EJXVWDA/m
> >> describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id
> >> 
> >> but I wasn't sure if SA would detect that the incorrect case on the
> >> word "message-id" and then not realize the test, etc.  Any suggestions?
> >> 
> >> jp
> >> 
> >> -- 
> >> Framework?  I don't need no steenking framework!
> >> 
> >> 
> >> @fferent Security Labs:  Isolate/Insulate/Innovate
> >> http://www.afferentsecurity.com
> > 
> 
> _
> This email has been scanned and certified safe by SpammerTrap(tm). 
> For Information please see http://www.spammertrap.com
> _

Re: Need help with bobax rules

[Chris]

On Thursday 17 April 2008 6:15 am, Michael Scheidell wrote:
> > From: Justin Mason <[EMAIL PROTECTED]>
> > Date: Wed, 16 Apr 2008 14:16:51 +0100
> > To: Jack Pepper <[EMAIL PROTECTED]>
> > Cc: 
> > Subject: Re: Need help with bobax rules
> >
> >
> > for what it's worth, I just pushed Henry's version of Joe's rules into
> > the 3.2.x sa-updates.
>
> But did someone sign them right ?
>
> [49696] dbg: gpg: release trusted key id list:
> 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
> 26C900A46DD40CD5AD24F6D7DEE01987265FA05B
> 0C2B1D7175B852C64B3CDC716C55397824F434CE
>
> 49696] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf
>
> [49657] dbg: gpg: gpg: Signature made Wed Apr 16 04:28:44 2008 CDT using
> RSA key ID 24F434CE
> [49657] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not
> cross-certified
> [49657] dbg: gpg: gpg: please see
> http://www.gnupg.org/faq/subkey-cross-certify.html for more information
> [49657] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1
> [49657] dbg: gpg: gpg: Can't check signature: General error
> error: GPG validation failed!
> The update downloaded successfully, but the GPG signature verification
> failed.
> channel: GPG validation failed, channel failed
> [49657] dbg: generic: cleaning up temporary directory/files
> [49657] dbg: diag: updates complete, exiting with code 4

FWIW, I saw the same error, however, I re-downloaded the GPG.KEY, and once it 
was installed the update installed correctly.

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgpIxAm1dAp77.pgp
Description: PGP signature

Re: Need help with bobax rules

[Michael Scheidell]

> From: Justin Mason <[EMAIL PROTECTED]>
> Date: Wed, 16 Apr 2008 14:16:51 +0100
> To: Jack Pepper <[EMAIL PROTECTED]>
> Cc: 
> Subject: Re: Need help with bobax rules
> 
> 
> for what it's worth, I just pushed Henry's version of Joe's rules into the
> 3.2.x sa-updates.

But did someone sign them right ?

[49696] dbg: gpg: release trusted key id list:
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
26C900A46DD40CD5AD24F6D7DEE01987265FA05B
0C2B1D7175B852C64B3CDC716C55397824F434CE

49696] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf

[49657] dbg: gpg: gpg: Signature made Wed Apr 16 04:28:44 2008 CDT using RSA
key ID 24F434CE
[49657] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not
cross-certified
[49657] dbg: gpg: gpg: please see
http://www.gnupg.org/faq/subkey-cross-certify.html for more information
[49657] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1
[49657] dbg: gpg: gpg: Can't check signature: General error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
[49657] dbg: generic: cleaning up temporary directory/files
[49657] dbg: diag: updates complete, exiting with code 4


-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer

 
> --j.
> 
> Jack Pepper writes:
>> Quoting Jeremy Fairbrass <[EMAIL PROTECTED]>:
>> 
>>> HI Jack,
>>> Any chance of sharing your rules for this?!
>>> 
>>> Cheers,
>>> Jeremy
>> 
>> Sure:
>> 
>> score BOBAX_GEN_SPAM_2 1.800
>> header BOBAX_GEN_SPAM_2   ALL =~
>> /^Message-Id:[EMAIL PROTECTED]/m
>> describe BOBAX_GEN_SPAM_2   Has Bobax Generated Message-Id, type 2
>> 
>> score BOBAX_GEN_SPAM 1.800
>> header BOBAX_GEN_SPAM   ALL =~ /^Message-Id:.*EJXVWDA/m
>> describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id
>> 
>> One fellow suggested that it might be more efficient to do this:
>> 
>> score BOBAX_GEN_SPAM 1.800
>> header BOBAX_GEN_SPAM   Message-ID =~ /EJXVWDA/m
>> describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id
>> 
>> but I wasn't sure if SA would detect that the incorrect case on the
>> word "message-id" and then not realize the test, etc.  Any suggestions?
>> 
>> jp
>> 
>> -- 
>> Framework?  I don't need no steenking framework!
>> 
>> 
>> @fferent Security Labs:  Isolate/Insulate/Innovate
>> http://www.afferentsecurity.com
> 

_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_

Re: Need help with bobax rules

[Justin Mason]

for what it's worth, I just pushed Henry's version of Joe's rules into the
3.2.x sa-updates.

--j.

Jack Pepper writes:
> Quoting Jeremy Fairbrass <[EMAIL PROTECTED]>:
> 
> > HI Jack,
> > Any chance of sharing your rules for this?!
> >
> > Cheers,
> > Jeremy
> 
> Sure:
> 
> score BOBAX_GEN_SPAM_2 1.800
> header BOBAX_GEN_SPAM_2   ALL =~  
> /^Message-Id:[EMAIL PROTECTED]/m
> describe BOBAX_GEN_SPAM_2   Has Bobax Generated Message-Id, type 2
> 
> score BOBAX_GEN_SPAM 1.800
> header BOBAX_GEN_SPAM   ALL =~ /^Message-Id:.*EJXVWDA/m
> describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id
> 
> One fellow suggested that it might be more efficient to do this:
> 
> score BOBAX_GEN_SPAM 1.800
> header BOBAX_GEN_SPAM   Message-ID =~ /EJXVWDA/m
> describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id
> 
> but I wasn't sure if SA would detect that the incorrect case on the  
> word "message-id" and then not realize the test, etc.  Any suggestions?
> 
> jp
> 
> -- 
> Framework?  I don't need no steenking framework!
> 
> 
> @fferent Security Labs:  Isolate/Insulate/Innovate  
> http://www.afferentsecurity.com

Re: Need help with bobax rules

[Jack Pepper]

Quoting Jeremy Fairbrass <[EMAIL PROTECTED]>:


HI Jack,
Any chance of sharing your rules for this?!

Cheers,
Jeremy


Sure:

score BOBAX_GEN_SPAM_2 1.800
header BOBAX_GEN_SPAM_2   ALL =~  
/^Message-Id:[EMAIL PROTECTED]/m

describe BOBAX_GEN_SPAM_2   Has Bobax Generated Message-Id, type 2

score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM   ALL =~ /^Message-Id:.*EJXVWDA/m
describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id

One fellow suggested that it might be more efficient to do this:

score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM   Message-ID =~ /EJXVWDA/m
describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id

but I wasn't sure if SA would detect that the incorrect case on the  
word "message-id" and then not realize the test, etc.  Any suggestions?


jp

--
Framework?  I don't need no steenking framework!


@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

Re: Need help with bobax rules

[Jeremy Fairbrass]

HI Jack,
Any chance of sharing your rules for this?!

Cheers,
Jeremy



"Jack Pepper" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
This info popped up on the emerging-Threats list.  I have watched our  
mail servers and have confirmed that it works.


The problem is that my attempts to create Spamassin rules for it never  
fire off.  Can I get some tutelage from the list on creating rules for  
these unique conditions:


Message IDs randomized, but always the same length per field, and  
uses "Message-Id" instead of "Message-ID":


Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>

Intel from Joe Stewart at  Secureworks.

Message-Id capitalized incorrectly, and EJXVWDA appears in the  
middle of the random prefix:


Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>

Intel from Joe Stewart at  Secureworks.

First group increments over time. Last group is the IP in hex backwards.
Like so:

Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]

Thanks again to Joe Stewart for the intel!




Any thing that hits is generated by bobax/kraken/oderoor and can be dropped.

jp
--
Framework?  I don't need no steenking framework!


@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

Re: Need help with bobax rules

[Jack Pepper]

Quoting Justin Mason <[EMAIL PROTECTED]>:



Jack Pepper writes:

I guess I don't need those rules.  I see now that INVALID_MSGID was
already catching them.

apologies for the noise on the list.




I found my problem in the faq.  I was missing the "m" on the end ogf  
the regex:


score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM   ALL =~ /^Message-Id:.*EJXVWDA/m
describe BOBAX_GEN_SPAM   Has Bobax Generated Message-Id

getting hits on it now.  nice.




--
Framework?  I don't need no steenking framework!


@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

Re: Need help with bobax rules

[Justin Mason]

Jack Pepper writes:
> I guess I don't need those rules.  I see now that INVALID_MSGID was  
> already catching them.
> 
> apologies for the noise on the list.

Henry Stern has added rules to SpamAssassin 3.3.0 trunk SVN to implement
these.  maybe he plans to backport them to 3.2.x sa-updates ;)

--j.

Re: Need help with bobax rules

[Jack Pepper]

I guess I don't need those rules.  I see now that INVALID_MSGID was  
already catching them.


apologies for the noise on the list.

jp

--
Framework?  I don't need no steenking framework!


@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

Need help with bobax rules

[Jack Pepper]

This info popped up on the emerging-Threats list.  I have watched our  
mail servers and have confirmed that it works.


The problem is that my attempts to create Spamassin rules for it never  
fire off.  Can I get some tutelage from the list on creating rules for  
these unique conditions:


Message IDs randomized, but always the same length per field, and  
uses "Message-Id" instead of "Message-ID":


Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>

Intel from Joe Stewart at  Secureworks.

Message-Id capitalized incorrectly, and EJXVWDA appears in the  
middle of the random prefix:


Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>

Intel from Joe Stewart at  Secureworks.

First group increments over time. Last group is the IP in hex backwards.
Like so:

Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]

Thanks again to Joe Stewart for the intel!




Any thing that hits is generated by bobax/kraken/oderoor and can be dropped.

jp
--
Framework?  I don't need no steenking framework!


@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com