One word spam

[Marc Perkel]

I'm seeing a lot of one words spam. I'm guessing they are probing for 
capabilities. Is anyone else seeing this? If so - what do you know about it?

one word spam

[Marcio Humpris]

please, i know its been talked about before, but isnt there a rule to deal
with 1 word spams?

spams that just have text "Hi!" and thats it.

If not, if someone can pls advise on a regex to catch this.

Thank you.

Re: One word spam

[Luis Hernán Otegui]

As I recall, this has been discussed earlier on the list. It seems like
spammers are "fishing" for valid addresses Not lately, but I have seen
this kind of spam a lot two months ago or so...


Luix

2007/4/24, Marc Perkel <[EMAIL PROTECTED]>:


I'm seeing a lot of one words spam. I'm guessing they are probing for
capabilities. Is anyone else seeing this? If so - what do you know about
it?





--
-
GNU-GPL: "May The Source Be With You...
-

Re: One word spam

[J.]

--- Luis Hernán Otegui <[EMAIL PROTECTED]> wrote:

> As I recall, this has been discussed earlier on the list. It seems
> like
> spammers are "fishing" for valid addresses Not lately, but I have
> seen
> this kind of spam a lot two months ago or so...
> 
> Luix
> 
> 2007/4/24, Marc Perkel <[EMAIL PROTECTED]>:
> > I'm seeing a lot of one words spam. I'm guessing they are probing
> for
> > capabilities. Is anyone else seeing this? If so - what do you know
> about
> > it?

Yeah, we're getting quite a few of those emails today.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: One word spam

[Yet Another Ninja]

On 4/25/2007 1:08 AM, Marc Perkel wrote:
I'm seeing a lot of one words spam. I'm guessing they are probing for 
capabilities. Is anyone else seeing this? If so - what do you know about 
it?




more probably spammy borked templates

Re: one word spam

[Marcio Humpris]

Someone please?


2013/8/23 Marcio Humpris 

> please, i know its been talked about before, but isnt there a rule to deal
> with 1 word spams?
>
> spams that just have text "Hi!" and thats it.
>
> If not, if someone can pls advise on a regex to catch this.
>
> Thank you.
>

Re: one word spam

[Jari Fredriksson]

27.08.2013 16:27, Marcio Humpris kirjoitti:
> Someone please?
>
>
> 2013/8/23 Marcio Humpris  >
>
> please, i know its been talked about before, but isnt there a rule
> to deal with 1 word spams?
>
> spams that just have text "Hi!" and thats it.
>
> If not, if someone can pls advise on a regex to catch this.
>
> Thank you.
>
>
If the network tests can't figure anything there is not much to do, I
think. The body itself is not much more than just a word "Hi!". It can
be spam or ham as well.

-- 
jarif.bit




signature.asc
Description: OpenPGP digital signature

Re: one word spam

[John Hardin]

On Tue, 27 Aug 2013, Marcio Humpris wrote:


Someone please?


I thought I'd replied to this...

There's really no easy way to do this because the Subject: header is 
included in the text the body rules scan, so any rule looking for the 
absence of word breaks would be defeated by a multiple-work subject.


This would probably require a plugin. I'm not sure if any of the existing 
plugins could be leveraged for this; I doubt it.


There are, however, rules for empty and one-line bodies that may be close 
enough.



2013/8/23 Marcio Humpris 


please, i know its been talked about before, but isnt there a rule to deal
with 1 word spams?

spams that just have text "Hi!" and thats it.

If not, if someone can pls advise on a regex to catch this.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...much of our country's counterterrorism security spending is not
  designed to protect us from the terrorists, but instead to protect
  our public officials from criticism when another attack occurs.
-- Bruce Schneier
---
 Tomorrow: Exercise Your Rights day

Re: one word spam

[Axb]

On 08/27/2013 03:27 PM, Marcio Humpris wrote:

Someone please?


2013/8/23 Marcio Humpris 


please, i know its been talked about before, but isnt there a rule to deal
with 1 word spams?

spams that just have text "Hi!" and thats it.

If not, if someone can pls advise on a regex to catch this.


pls post a sample in pastebin.com

Re: one word spam

[James Griffin]

!-- On Sat 24.Aug'13 at  0:40:26 BST, Marcio Humpris (marciohump...@gmail.com), 
wrote: 

> please, i know its been talked about before, but isnt there a rule to deal
> with 1 word spams?
> 
> spams that just have text "Hi!" and thats it.

It's unlikely, imo, that emails with just hi! will be spam. I have
people/friends, that send mails like that to me, just to see if i'm
there/available. 

Spammers would most likely have more than just "Hi!" in the mail body.

-- 


James Griffin: jmz at kontrol.kode5.net 

A4B9 E875 A18C 6E11 F46D  B788 BEE6 1251 1D31 DC38

one word spam (continued)

[Marcio Humpris]

Hi everyone

If I use digest mode how do I reply to a specific mail?

In reply to axb...

about one word spam
http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser

here is the sample http://pastebin.com/download.php?i=0D7tfsjf

Can you help with some regex pls?

Tks

Re: one word spam (continued)

[Ted Mittelstaedt]

Dumb question here perhaps - how exactly would sending a single word
to a victim help a spammer?  Why would they do it?

Ted

On 10/16/2013 8:33 AM, Martin Gregorie wrote:

On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote:

Hi everyone

If I use digest mode how do I reply to a specific mail?

In reply to axb...

about one word spam
http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser

here is the sample http://pastebin.com/download.php?i=0D7tfsjf

Can you help with some regex pls?


Not one work is it?

However, this catches it:   /\s{0,80}\S{1,20}\s{0,80}/

Be aware that messages like your example are quite common between
friends, so I personally would be wary of using this type of regex
outside a meta-rule.


Martin




Tks

Re: one word spam (continued)

[Martin Gregorie]

On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote:
> Hi everyone
> 
> If I use digest mode how do I reply to a specific mail?
> 
> In reply to axb...
> 
> about one word spam
> http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser
> 
> here is the sample http://pastebin.com/download.php?i=0D7tfsjf
> 
> Can you help with some regex pls?
> 
Not one work is it?

However, this catches it:   /\s{0,80}\S{1,20}\s{0,80}/

Be aware that messages like your example are quite common between
friends, so I personally would be wary of using this type of regex
outside a meta-rule.


Martin



> Tks

Re: one word spam (continued)

[Bowie Bailey]

On 10/16/2013 11:33 AM, Martin Gregorie wrote:

On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote:

Hi everyone

If I use digest mode how do I reply to a specific mail?

In reply to axb...

about one word spam
http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser

here is the sample http://pastebin.com/download.php?i=0D7tfsjf

Can you help with some regex pls?


Not one work is it?

However, this catches it:   /\s{0,80}\S{1,20}\s{0,80}/

Be aware that messages like your example are quite common between
friends, so I personally would be wary of using this type of regex
outside a meta-rule.


You do realize that this regex is equivelent to /\S/.  If it is a body 
rule, it will match on every email that has any kind of text in either 
the subject or the body.


I'm not quite sure what you were intending to match.

--
Bowie

Re: one word spam (continued)

[Axb]

On 10/16/2013 04:58 PM, Marcio Humpris wrote:

In reply to axb...

about one word spam
http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser

here is the sample http://pastebin.com/download.php?i=0D7tfsjf

Can you help with some regex pls?


This has two words :) and no SA header / spam report so we have little 
to work with


Nice to see that Comtouch (X-CTCH header:  Spam="Unknown"  didn't detect 
it either :)

Re: one word spam (continued)

[Neil Schwartzman]

List verification. Many receiving sites will block after X bounces, clean up 
your list from 550s, and spam the real thing from another botted IP.


Neil Schwartzman
Executive Director
Coalition Against unsolicited Commercial Email

Tel :(303) 800-6345
Mob: (415) 361-0069
@cauce




On Oct 16, 2013, at 8:41 AM, Ted Mittelstaedt  wrote:

> 
> Dumb question here perhaps - how exactly would sending a single word
> to a victim help a spammer?  Why would they do it?
> 
> Ted
> 
> On 10/16/2013 8:33 AM, Martin Gregorie wrote:
>> On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote:
>>> Hi everyone
>>> 
>>> If I use digest mode how do I reply to a specific mail?
>>> 
>>> In reply to axb...
>>> 
>>> about one word spam
>>> http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser
>>> 
>>> here is the sample http://pastebin.com/download.php?i=0D7tfsjf
>>> 
>>> Can you help with some regex pls?
>>> 
>> Not one work is it?
>> 
>> However, this catches it:   /\s{0,80}\S{1,20}\s{0,80}/
>> 
>> Be aware that messages like your example are quite common between
>> friends, so I personally would be wary of using this type of regex
>> outside a meta-rule.
>> 
>> 
>> Martin
>> 
>> 
>> 
>>> Tks
>> 
>> 
>> 
> 

Re: one word spam (continued)

[David F. Skoll]

On 16 Oct 2013 09:15:07 -0700
"Neil Schwartzman"  wrote:

> List verification. Many receiving sites will block after X bounces,
> clean up your list from 550s, and spam the real thing from another
> botted IP.


And you know who we can thank [sic] for this mechanism of list verification?

Microsoft, that's who.

For versions of Microsoft Exchange prior to 2013, you need to jump through
ridiculous hoops to configure it so that invalid RCPT commands are rejected.
By default, Exchange accepts any old RCPT command and then either rejects
after DATA or (if a RCPT was valid) is forced to generate a delivery failure
notification.

For Exchange 2013, the ridiculous hoops no longer work and I don't
believe it is even possible to configure Exchange 2013 to reject
invalid RCPTs without truly grotesque hacks.

Thank you, Microsoft, for making the Internet a better place.


Regards,

David.

Re: one word spam (continued)

[Axb]

On 10/16/2013 06:42 PM, David F. Skoll wrote:

On 16 Oct 2013 09:15:07 -0700
"Neil Schwartzman"  wrote:


List verification. Many receiving sites will block after X bounces,
clean up your list from 550s, and spam the real thing from another
botted IP.



And you know who we can thank [sic] for this mechanism of list verification?

Microsoft, that's who.

For versions of Microsoft Exchange prior to 2013, you need to jump through
ridiculous hoops to configure it so that invalid RCPT commands are rejected.
By default, Exchange accepts any old RCPT command and then either rejects
after DATA or (if a RCPT was valid) is forced to generate a delivery failure
notification.

For Exchange 2013, the ridiculous hoops no longer work and I don't
believe it is even possible to configure Exchange 2013 to reject
invalid RCPTs without truly grotesque hacks.

Thank you, Microsoft, for making the Internet a better place.



Exchange 2013 can still reject mail to unknown users, except that it 
does it _AFTER_ DATA, which means that everybody that tried to be a good 
player has become a backscatterer, including their own services which 
have they have elegantly turned into spam spewin bazookas.


May I join you?

Thank you, Microsoft, for making the Internet a better place.

RE: one word spam (continued)

[Kevin Miller]

So if I'm reading this right, milters such as smf-sav or milter-ahead will no 
longer be of any use?  

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

-Original Message-
From: Axb [mailto:axb.li...@gmail.com] 
Sent: Wednesday, October 16, 2013 9:18 AM
To: users@spamassassin.apache.org
Subject: Re: one word spam (continued)

On 10/16/2013 06:42 PM, David F. Skoll wrote:
> On 16 Oct 2013 09:15:07 -0700
> "Neil Schwartzman"  wrote:
>
>> List verification. Many receiving sites will block after X bounces, 
>> clean up your list from 550s, and spam the real thing from another 
>> botted IP.
>
> 
> And you know who we can thank [sic] for this mechanism of list verification?
>
> Microsoft, that's who.
>
> For versions of Microsoft Exchange prior to 2013, you need to jump 
> through ridiculous hoops to configure it so that invalid RCPT commands are 
> rejected.
> By default, Exchange accepts any old RCPT command and then either 
> rejects after DATA or (if a RCPT was valid) is forced to generate a 
> delivery failure notification.
>
> For Exchange 2013, the ridiculous hoops no longer work and I don't 
> believe it is even possible to configure Exchange 2013 to reject 
> invalid RCPTs without truly grotesque hacks.
>
> Thank you, Microsoft, for making the Internet a better place.
> 

Exchange 2013 can still reject mail to unknown users, except that it does it 
_AFTER_ DATA, which means that everybody that tried to be a good player has 
become a backscatterer, including their own services which have they have 
elegantly turned into spam spewin bazookas.

May I join you?

Thank you, Microsoft, for making the Internet a better place.

Re: one word spam (continued)

[Axb]

On 10/16/2013 07:21 PM, Kevin Miller wrote:

So if I'm reading this right, milters such as smf-sav or milter-ahead will no 
longer be of any use?


yep...  One will have to be creative, start mantaining local rcpt list 
copies, LDAP exports, etc - lottsa fun for all parties.


This also applies to Postfix's recipient address verification.



  ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

-Original Message-
From: Axb [mailto:axb.li...@gmail.com]
Sent: Wednesday, October 16, 2013 9:18 AM
To: users@spamassassin.apache.org
Subject: Re: one word spam (continued)

On 10/16/2013 06:42 PM, David F. Skoll wrote:

On 16 Oct 2013 09:15:07 -0700
"Neil Schwartzman"  wrote:


List verification. Many receiving sites will block after X bounces,
clean up your list from 550s, and spam the real thing from another
botted IP.



And you know who we can thank [sic] for this mechanism of list verification?

Microsoft, that's who.

For versions of Microsoft Exchange prior to 2013, you need to jump
through ridiculous hoops to configure it so that invalid RCPT commands are 
rejected.
By default, Exchange accepts any old RCPT command and then either
rejects after DATA or (if a RCPT was valid) is forced to generate a
delivery failure notification.

For Exchange 2013, the ridiculous hoops no longer work and I don't
believe it is even possible to configure Exchange 2013 to reject
invalid RCPTs without truly grotesque hacks.

Thank you, Microsoft, for making the Internet a better place.



Exchange 2013 can still reject mail to unknown users, except that it does it 
_AFTER_ DATA, which means that everybody that tried to be a good player has 
become a backscatterer, including their own services which have they have 
elegantly turned into spam spewin bazookas.

May I join you?

Thank you, Microsoft, for making the Internet a better place.

Re: one word spam (continued)

[Ted Mittelstaedt]

On 10/16/2013 9:42 AM, David F. Skoll wrote:

On 16 Oct 2013 09:15:07 -0700
"Neil Schwartzman"  wrote:


List verification. Many receiving sites will block after X bounces,
clean up your


you mean "their" list


list from 550s, and spam the real thing from another

botted IP.



And you know who we can thank [sic] for this mechanism of list verification?

Microsoft, that's who.

For versions of Microsoft Exchange prior to 2013, you need to jump through
ridiculous hoops to configure it so that invalid RCPT commands are rejected.
By default, Exchange accepts any old RCPT command and then either rejects
after DATA or (if a RCPT


you mean if sender was valid, right


was valid) is forced to generate a delivery failure
notification.

For Exchange 2013, the ridiculous hoops no longer work and I don't
believe it is even possible to configure Exchange 2013 to reject
invalid RCPTs without truly grotesque hacks.



Yeah I had forgotten about that.

I think what's going on here is that Microsoft has been positioning 
Exchange for use as a large company platform for some time - the last

version of SBS contained Exchange 2010 and that was the last way that
a smaller company could afford an Exchange server.  Check out the
prices on Exchange 2012 and you will see what I mean, plus there's
no easy way that was provided migrate from Exchange 2010 to Exchange 
2012.  Their hope is that smaller customers will go to the cloud.


To this end they have had an eye on the Exchange server being just a
single cog in a large network.  That's why they make you go to an 
additional server (or appliance) for spam and antivirus filtering, and 
they don't provide that on Exchange.


We never sell an Exchange server installation without specing some
sort of spam prefiltering like a Sophos box or Cisco ASA or something 
like that in front of it, and all of those devices have active directory 
hooks that query the DC for the usernames and -don't- accept just any 
old bogus RCPTs.



Thank you, Microsoft, for making the Internet a better place.




Naw, it's much more neglect and forgetting where they came from.

There was a time that people replaced old post.office and other hacky
malservers with exchange because exchange was inexpensive, simple, and
easy for just any monkey to configure.

There was also a time people replaced old Novell Netware servers and
other hacky fileservers with WIndows NT because NT was inexpensive,
simple, and easy for any monkey to configure.

But those days are gone and those products have been replaced by very
expensive, very complicated products that even people who are 
professionals have a hard time configuring.


And to be perfectly honest about it I can say exactly the same thing
about the Linux distros who are also headed full speed away from
simplicity and ease and into complexity and difficulty.

I can't boot any current linux distro on an older P4 with 4GB of
ram and have it run any faster than a slug would travel.  And there's
a LOT of older 2003 servers out there running on older HP Proliant
G4 and G3 servers or Dell 2650 servers that are 32 bit, running
Exchange 2003, but are rock-solid and have been for years.  There's an 
opportunity there but nobody in the FOSS community wants to service it. 
 Instead the Linux people think they can go head-to-head with Microsoft 
on brand new $4,000 server hardware.


Ted


Regards,

David.

Re: one word spam (continued)

[Martin Gregorie]

On Wed, 2013-10-16 at 11:47 -0400, Bowie Bailey wrote:

> I'm not quite sure what you were intending to match.
> 
On more mature reflection, neither am I! I should have said:

/^\s{0,80}\S{0,20}\s{0,80}$/

which should catch messages of 20 characters or less. I was in a hurry
(quite a bit of C to write) and somewhat thrown by the OP saying he
wanted to catch single word messages but showed us a two word example. 


Martin

Re: one word spam (continued)

[John Hardin]

On Wed, 16 Oct 2013, Martin Gregorie wrote:


On Wed, 2013-10-16 at 11:47 -0400, Bowie Bailey wrote:


I'm not quite sure what you were intending to match.


On more mature reflection, neither am I! I should have said:

/^\s{0,80}\S{0,20}\s{0,80}$/


...which matches /^$/, or any message having a blank line.

Body lines are space-collapsed, so how about this:

  body  __SINGLE_WORD  /^\s?\S{1,20}\s?$/

You'd probably also want to meta it with __BODY_TEXT_LINE to avoid hitting 
on a long message that has a single-word line somewhere within it (like 
this message, for example).


You also have to allow for the subject, which is included in body rules. I 
assume you don't want a single-word-body rule to fire on a multi-word 
message body having a single-word subject.


20 might be a bit conservative, too. :)

Giving:

  body   __SINGLE_WORD_LINE  /^\s?\S{1,40}\s?$/
  tflags __SINGLE_WORD_LINE  multiple maxhits=2
  header __SINGLE_WORD_SUBJ  Subject =~ /^\s*\S{1,40}\s*$/
  meta   SINGLE_WORD_BODY__BODY_TEXT_LINE < 3 && (__SINGLE_WORD_LINE = 2 || 
(__SINGLE_WORD_LINE > 0 && !__SINGLE_WORD_SUBJ))


(__BODY_TEXT_LINE counts a nonempty subject because the subject is 
included in body text.)


Untested, of course.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 09/13/07: Microsoft patents in-OS
  adware architecture that incorporates monitoring and analysis of
  user actions and interrupting the user to display apparently
  relevant advertisements (U.S. Patent #20070214042)
---
 503 days since the first successful private support mission to ISS (SpaceX)

one word spam part 3

[Marcio Humpris]

Hi everyone

Martin, I tried

/\s{0,80}\S{1,20}\s{0,80}/

but it didnt work for me. if you can kindly confirm it works here, i
appreciate it:

http://www.softlion.com/webTools/RegExpTest/default.aspx

Also, please, sorry for the off topic, but if someone can explain, how
can I reply to a certain post when Im in digest mode and dont receive
each email in the list system individually?

Thanks very much.

one word spam (still trying...)

[Marcio Humpris]

Hi, John

This didnt work for me also:

 /^\s{0,80}\S{1,20}\s{0,80}$/

can you kindly check it works here?

http://www.softlion.com/webTools/RegExpTest/default.aspx

Heres the original email I want to block:

http://pastebin.com/download.php?i=0D7tfsjf

Thank you!

Re: one word spam part 3

[John Hardin]

On Mon, 28 Oct 2013, Marcio Humpris wrote:


Hi everyone

Martin, I tried

/\s{0,80}\S{1,20}\s{0,80}/

but it didnt work for me.


That RE is not anchored so it will match on any line that has at least one 
non-space character in it. You need to anchor the beginning and ending of 
the line explicitly for this to work:


   /^\s{0,80}\S{1,20}\s{0,80}$/

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 3 days until Halloween

Re: one word spam part 3

[RW]

On Mon, 28 Oct 2013 19:45:31 -0200
Marcio Humpris wrote:


> Also, please, sorry for the off topic, but if someone can explain, how
> can I reply to a certain post when Im in digest mode and dont receive
> each email in the list system individually?

It depends on what's supported by your mail client, in claws-mail you
can reply to an individual post simply by first selecting the
appropriate message/rfc822 entry in the mime pane. In others you can
extract the email into a folder. Alternately the individual emails are
attachments, so you might be able to save one to a file and import it.

There are some alternatives here:
 
http://wiki.apache.org/spamassassin/MailingLists

Personally I prefer using the gmane.org news-server for mailing lists
where I don't want a full subscription. I also find it useful for
priming new mailing list folders with a bit of context, and for
restoring accidentally deleted list emails.

Re: one word spam (still trying...)

[John Hardin]

On Thu, 7 Nov 2013, Marcio Humpris wrote:


Hi, John

This didnt work for me also:

/^\s{0,80}\S{1,20}\s{0,80}$/

can you kindly check it works here?

http://www.softlion.com/webTools/RegExpTest/default.aspx


The slashes at the ends should be removed if you're testing the RE with 
that tool. If I do that it works as expected there.



Heres the original email I want to block:

http://pastebin.com/download.php?i=0D7tfsjf


"Tudo bom?" is two words.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "They will be slaughtered as result of England's anti-gun laws
  that concentrates power to the Government."
-- Shifty Powers (101 abn) observing British
subjects training to repel a German invasion
using rakes, hoes and pitchforks
---
 4 days until Veterans Day

Re: one word spam (still trying...)

[Karsten Bräckelmann]

On Thu, 2013-11-07 at 21:01 -0200, Marcio Humpris wrote:
> This didnt work for me also:
>  
>  /^\s{0,80}\S{1,20}\s{0,80}$/

That RE matches a complete line with a single "word" (anything but
whitespace) of up to 20 chars, and optional whitespace \s before and
after the word.

> Heres the original email I want to block:
> http://pastebin.com/download.php?i=0D7tfsjf

Despite your Subject, that sample has two words in the body.

You missed to post the actual SA rule. The above is just an RE. This is
important, because different rules are applied against different
versions of the message or body, which also impacts the exact definition
of beginning ^ and end $ assertions. And in the case of a body rule, the
Subject becomes the first paragraph.

Even more words? In total, yes, but not as far as the above RE is
concerned. In body rules, paragraphs are normalized to newline delimited
single line strings. Lacking magic like the /m modifier, the beginning
and end assertions are per-line -- not spanning the entire body. A
single one word paragraph in a large mail would match.


Given the sample, what you actually are after might be a "very short
body" rule. This was part of a recent thread:

  rawbody __RB_GT_200  /^.{201}/s
  meta__RB_LE_200  !__RB_GT_200

The (non-scoring sub-rule) __RB_LE_200 matches any mail with less than
or equal 200 chars in the textual body MIME-parts. To adjust the size
and lower it for your use-case, just replace any instance of 200 and 201
with your desired maximum size, and max size plus one respectively.

These rules are sub-rules intended to be used in a meta rule.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: one word spam (still trying...)

[Marcio Humpris]

Dear Karsten,

Really appreciate it. Thanks John Hardin also.

There was no original rule actually. And yes, 2 words in the case, sorry.

Can you kindly tell me how I can add this to my local.cf so I can test it?

  rawbody __RB_GT_200  /^.{201}/s
  meta__RB_LE_200  !__RB_GT_200

I imagine I have to do this, correct?

  rawbody __RB_GT_200  /^.{201}/s
  meta__RB_LE_200  !__RB_GT_200
  score __RB_LE_200 1.5
  
Im a bit confused, LE checks less then 200 words and seems to negate
RB_GT_200...?

Thanks again.

Re: one word spam (still trying...)

[Karsten Bräckelmann]

On Mon, 2013-11-25 at 22:26 +, Marcio Humpris wrote:
> Dear Karsten,
> Really appreciate it. Thanks John Hardin also.

> Can you kindly tell me how I can add this to my local.cf so I can test it?

> I imagine I have to do this, correct?
> 
>   rawbody __RB_GT_200  /^.{201}/s
>   meta__RB_LE_200  !__RB_GT_200
>   score __RB_LE_200 1.5

You cannot assign a score directly here. As I mentioned in my previous
post, these (any rules with names starting with two underscores) are
non-scoring sub-rules intended to be used in a meta rule.

Thus, you would either have to change the __RB_LE_200 rule's name in the
meta and drop the leading underscores. Alternatively preserve these size
constraint logic rules as-is, and add a plain meta rule you can assign a
score to.

  meta  LOCAL_RB_LE_200  __RB_LE_200

That might look slightly redundant on first glance, but helps using the
size constraint rules in other meta rules, as well as more closely
matching your target and prevent false positives with additional
constraints.

The samples in your case are short body without any URI, so you could
e.g. use another stock sub-rule to prevent firing on mail quickly thrown
together to send a funny link to the college next cubicle.

  meta  RB_LE_200_NO_URI  __RB_LE_200 && !__HAS_ANY_URI

Unless you're comfortable with the rule, I suggest to start with a lower
score -- and raise it over time after some performance observation.

  score RB_LE_200_NO_URI  0.5


> Im a bit confused, LE checks less then 200 words and seems to negate
> RB_GT_200...?

Syntax used in the original sub-rules above: RB indicating it being
(based on) a rawbody type rule. GT and LE meaning "greater than" and
"less than or equal" respectively, in relation to the the trailing
number.

The first rule (type rawbody) evaluates true for any message with more
than 200 chars in textual MIME-parts, which one can think about as
"having a body of at least 200 chars". Note that this works on *chars*,
not words.

The second rule does indeed negate that -- which means, the textual
MIME-parts (think body) of the message is "less than or equal 200 chars
in length". Again, operating on chars, not words.


In your case, since you want to match messages with typically much less
chars than 200, I'd go for a version of about 40 chars, maybe. I briefly
outlined what to adjust for that in my previous post, if it isn't clear
by the rule definitions already.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: one word spam (still trying...)

[Benny Pedersen]

Marcio Humpris skrev den 2013-11-25 23:26:


I imagine I have to do this, correct?

  rawbody __RB_GT_200  /^.{201}/s
  meta__RB_LE_200  !__RB_GT_200
  score __RB_LE_200 1.5


nope rules beginning with __ cant score for spamtests

meta RB_LE_200 (__RB_LE_200)
describe RB_LE_200 Meta: less then 200 chars in rawboby
score RB_LE_200 1.5

Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[David F. Skoll]

On Wed, 16 Oct 2013 09:21:46 -0800
Kevin Miller  wrote:

> So if I'm reading this right, milters such as smf-sav or milter-ahead
> will no longer be of any use?

You are reading it correctly.  On our anti-spam service, we require
some sort of recipient validation so we don't go insane scanning
messages destined to nonexistent addresses.  SMTP call-ahead was the easiest
way to do this, but now our customers either have to let us hook into their
Active Directory or explicitly provide a list of valid recipients.

Someone did send me a hack for doing recipient verification on
Exchange 2013 which I include here for archiving purposes.  Please
note that I have not tested this.  I'm also not familiar with Exchange,
so some of the terminology means nothing to me...

Regards,

David.

==
From: Leon Black 
To: "i...@roaringpenguin.com" 
Subject: Recipient Verification correction
Date: Sat, 7 Sep 2013 03:59:27 +

Hey Guys,

Just saw your info on this page
http://www.roaringpenguin.com/recipient-verification re Exchange 2013
recipient verification.

I have found the workable solution with exchange 2013 to get recipient
verification working correctly with an antispam product.

The problem is when it is a single server with CAS and Mailbox
roles. To use correct verification you need to talk to the hub
transport receive connector (mailbox role) and this rejects the
address as per normal.

This is by default on port 2525, all you need to do is enable
anonymous access on the connector and open port 2525 to the antispam
IP.  Set your product to do recipient verification on port 2525 and
deliver to port 25 and it works perfectly.

Hopefully this information can help you guys out :) We do this with a
number of our exchange 2013 single server clients and it rejects
emails correctly.

Oh! Just make sure they do not create another hub transport connector.
If there is an additional one it will cause exchange transport to stop
receiving emails after a few hours.

RE: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[Kevin Miller]

Resurrecting an old thread here.  We're finally migrating to Exchange 2013, and 
I have a script that will extract email addresses from ldap, but when looking 
at the virtualuser table it seems that it's used to map one address to another. 
 The script puts out addresses in the following format:
  some_u...@ci.juneau.ak.us OK
  su...@jnuairport.com OK
  some_u...@skijuneau.com OK

Easy enough to strip the "OK" out in a bash scritp to create the virtualuser 
table, but what does the virtualuser table actually look like?  The preamble in 
the file in /etc/mail shows:

# Examples:
#
#i...@foo.com   foo-info
#i...@bar.com   bar-info
#j...@bar.comerror:nouser No such user here
#j...@bar.comerror:D.S.N:unavailable Address invalid
#@baz.org   j...@example.net

That's clear enough, but I'm not mapping one address to another - I'm just 
wanting to validate the entries that are in there.  Do I just create a single 
column file with the output from my ldap query script and hash it?  And after 
that sendmail will reject anything not in there?  Do I have to tweak 
sendmail.mc beyond 
  FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl 
to achieve the desired behavior of rejecting unknown inbound emails?

I'm unclear on what "and combine them with a fixed file" means in Ted's 
comments below.  Pearls of wisdom greatly appreciated...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
-Original Message-
From: Ted Mittelstaedt [mailto:t...@ipinc.net] 
Sent: Wednesday, October 16, 2013 9:52 AM
To: users@spamassassin.apache.org
Subject: Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word 
spam (continued))


Just be aware that Microsoft's "standard" is to use LDAP queries to the AD.  
Every major commercial antispam product does this and you will save yourself a 
lot of work later when MS changes the next version of Exchange to not support 
the 2525 hack.  (which they could easily do) if you do it that way.

This issue has been discussed to the death elsewhere but I guess for me I can't 
understand why I would have to -pay- for a milter like milter-ahead when on my 
prefilter Sendmail server I can simply once a day issue an ldapsearch to the 
domain controller the exchange server is in, then strip the results down to 
just the email addresses and combine them with a fixed file then replace the 
virtusertable.

I can run clamav, and spamassassin on the prefilter and I don't have to fool 
with the ldap routing in sendmail or worry about uncontrolled access to the AD 
server.

But I realize that's a "large company" approach to the problem  and many people 
still want a single-server solution.  Well wake up folks, Exchange is a "large 
company" product nowadays.
We still have a few customers on honeymoons with exchange 2010 all-in-ones but 
they have all been given notice that Microsoft has provided no future roadmap 
for this approach.  Go big or go elsewhere.

Ted

On 10/16/2013 10:27 AM, David F. Skoll wrote:
> On Wed, 16 Oct 2013 09:21:46 -0800
> Kevin Miller  wrote:
>
>> So if I'm reading this right, milters such as smf-sav or milter-ahead 
>> will no longer be of any use?
>
> You are reading it correctly.  On our anti-spam service, we require 
> some sort of recipient validation so we don't go insane scanning 
> messages destined to nonexistent addresses.  SMTP call-ahead was the 
> easiest way to do this, but now our customers either have to let us 
> hook into their Active Directory or explicitly provide a list of valid 
> recipients.
>
> Someone did send me a hack for doing recipient verification on 
> Exchange 2013 which I include here for archiving purposes.  Please 
> note that I have not tested this.  I'm also not familiar with 
> Exchange, so some of the terminology means nothing to me...
>
> Regards,
>
> David.
>
> ==
> 
> From: Leon Black
> To: "i...@roaringpenguin.com" 
> Subject: Recipient Verification correction
> Date: Sat, 7 Sep 2013 03:59:27 +
>
> Hey Guys,
>
> Just saw your info on this page
> http://www.roaringpenguin.com/recipient-verification re Exchange 2013 
> recipient verification.
>
> I have found the workable solution with exchange 2013 to get recipient 
> verification working correctly with an antispam product.
>
> The problem is when it is a single server with CAS and Mailbox roles. 
> To use correct verification you need to talk to the hub transport 
> receive connector (mailbox role) and this rejects the address as

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[Kevin A. McGrail]

On 7/22/2014 3:54 PM, Kevin Miller wrote:

Resurrecting an old thread here.  We're finally migrating to Exchange 2013, and 
I have a script that will extract email addresses from ldap, but when looking 
at the virtualuser table it seems that it's used to map one address to another. 
 The script puts out addresses in the following format:
   some_u...@ci.juneau.ak.us OK
   su...@jnuairport.com OK
   some_u...@skijuneau.com OK

Easy enough to strip the "OK" out in a bash scritp to create the virtualuser 
table, but what does the virtualuser table actually look like?  The preamble in the file 
in /etc/mail shows:


Why are you using virtusertable and not the access table?

regards,
KAM

RE: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[Kevin Miller]

At the moment I'm using spf-sav talking to Exchange 2007.  I mentioned 
virtualuser because that's what Ted said he was using to good affect.  I am 
using the access table as well, mostly to reject mail from specific places.  I 
guess catting the output of the ldap query onto the access table and hash it 
once a night would be just as easy.  I'll give that test.

Best...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

-Original Message-
From: Kevin A. McGrail [mailto:kmcgr...@pccc.com] 
Sent: Tuesday, July 22, 2014 12:01 PM
To: Kevin Miller; users@spamassassin.apache.org
Subject: Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word 
spam (continued))

On 7/22/2014 3:54 PM, Kevin Miller wrote:
> Resurrecting an old thread here.  We're finally migrating to Exchange 2013, 
> and I have a script that will extract email addresses from ldap, but when 
> looking at the virtualuser table it seems that it's used to map one address 
> to another.  The script puts out addresses in the following format:
>some_u...@ci.juneau.ak.us OK
>su...@jnuairport.com OK
>some_u...@skijuneau.com OK
>
> Easy enough to strip the "OK" out in a bash scritp to create the virtualuser 
> table, but what does the virtualuser table actually look like?  The preamble 
> in the file in /etc/mail shows:

Why are you using virtusertable and not the access table?

regards,
KAM

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[David F. Skoll]

On Tue, 22 Jul 2014 13:30:13 -0800
Kevin Miller  wrote:

> I guess catting the output of the ldap
> query onto the access table and hash it once a night would be just as
> easy.  I'll give that test.

Another option, since you're running Sendmail, is to use a milter such
as MIMEDefang and do a real-time LDAP lookup for each RCPT command.
If the overhead is not too high, this is a nice solution because
any changes to Active Directory are immediately seen by Sendmail.

Regards,

David.

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[Ted Mittelstaedt]

Just be aware that Microsoft's "standard" is to use LDAP queries to the
AD.  Every major commercial antispam product does this and you will
save yourself a lot of work later when MS changes the next version of
Exchange to not support the 2525 hack.  (which they could easily do)
if you do it that way.

This issue has been discussed to the death elsewhere but I guess for me
I can't understand why I would have to -pay- for a milter like 
milter-ahead when on my prefilter Sendmail server I can simply once a 
day issue an ldapsearch to the domain controller the exchange server is 
in, then strip the results down to just the email addresses and

combine them with a fixed file then replace the virtusertable.

I can run clamav, and spamassassin on the prefilter and I don't have
to fool with the ldap routing in sendmail or worry about uncontrolled
access to the AD server.

But I realize that's a "large company" approach to the problem  and
many people still want a single-server solution.  Well
wake up folks, Exchange is a "large company" product nowadays.
We still have a few customers on honeymoons with exchange 2010
all-in-ones but they have all been given notice that Microsoft
has provided no future roadmap for this approach.  Go big or go
elsewhere.

Ted

On 10/16/2013 10:27 AM, David F. Skoll wrote:

On Wed, 16 Oct 2013 09:21:46 -0800
Kevin Miller  wrote:


So if I'm reading this right, milters such as smf-sav or milter-ahead
will no longer be of any use?


You are reading it correctly.  On our anti-spam service, we require
some sort of recipient validation so we don't go insane scanning
messages destined to nonexistent addresses.  SMTP call-ahead was the easiest
way to do this, but now our customers either have to let us hook into their
Active Directory or explicitly provide a list of valid recipients.

Someone did send me a hack for doing recipient verification on
Exchange 2013 which I include here for archiving purposes.  Please
note that I have not tested this.  I'm also not familiar with Exchange,
so some of the terminology means nothing to me...

Regards,

David.

==
From: Leon Black
To: "i...@roaringpenguin.com" 
Subject: Recipient Verification correction
Date: Sat, 7 Sep 2013 03:59:27 +

Hey Guys,

Just saw your info on this page
http://www.roaringpenguin.com/recipient-verification re Exchange 2013
recipient verification.

I have found the workable solution with exchange 2013 to get recipient
verification working correctly with an antispam product.

The problem is when it is a single server with CAS and Mailbox
roles. To use correct verification you need to talk to the hub
transport receive connector (mailbox role) and this rejects the
address as per normal.

This is by default on port 2525, all you need to do is enable
anonymous access on the connector and open port 2525 to the antispam
IP.  Set your product to do recipient verification on port 2525 and
deliver to port 25 and it works perfectly.

Hopefully this information can help you guys out :) We do this with a
number of our exchange 2013 single server clients and it rejects
emails correctly.

Oh! Just make sure they do not create another hub transport connector.
If there is an additional one it will cause exchange transport to stop
receiving emails after a few hours.

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[David F. Skoll]

On Wed, 16 Oct 2013 10:52:08 -0700
Ted Mittelstaedt  wrote:

> Just be aware that Microsoft's "standard" is to use LDAP queries to
> the AD.

True, and we support that.  But not everyone wants to open up their LDAP
to the outside world, even to a few outside IPs.

Furthermore, if you use Office 365 (Microsoft's hosted Exchange
product) you're out of luck.  I don't believe they give you LDAP
access, at least not unless you're a very large company.

> Go big or go elsewhere.

I think this is a deliberate strategy on the part of Microsoft.  I think
they're making Exchange so complicated and such a PITA that people give
up and go to the cloud, ideally to Office 365.  For many small companies,
going to the cloud probably makes lots of sense, as long as they don't mind
paying extra and don't mind the NSA having access to their email. :)

Regards,

David.

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[Joe Acquisto-j4]

 "David F. Skoll"  10/16/13 2:32 PM >>>
>. . . .as long as they don't mind
>paying extra and don't mind the NSA having access to their email. :)
>
>Regards,
>
>David.

Of course you mean "easier access"  . . . ?

joe a.

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[Kevin A. McGrail]

On 10/16/2013 2:27 PM, David F. Skoll wrote:
I think this is a deliberate strategy on the part of Microsoft. I 
think they're making Exchange so complicated and such a PITA that 
people give up and go to the cloud, ideally to Office 365. For many 
small companies, going to the cloud probably makes lots of sense, as 
long as they don't mind paying extra and don't mind the NSA having 
access to their email. :) Regards, David.


That is giant tin-hat foil worthy! LOL.  I also do not know why 
Microsoft makes it so difficult but it really started to become 
difficult a while ago.  Really long before their cloud initiative.


So in the beginning for our issue, our firm implemented something 
similar and it's documented at http://www.pccc.com/downloads/ldap/ 
thanks primarily to Brian Landers   and his 
work.  This is a nice solution that uses LDAP and queries it to build an 
access list with sendmail.


However, for our proprietary stuff, we had turned that concept on it's 
head and used a program to push the data to the server (we call it 
Forward and Store Technology) and support sendmail and exchange. I'll 
see if I can share more about that.


Regards,
KAM

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[David F. Skoll]

On Wed, 16 Oct 2013 15:41:04 -0400
"Kevin A. McGrail"  wrote:

> So in the beginning for our issue, our firm implemented something 
> similar and it's documented at http://www.pccc.com/downloads/ldap/ 
> thanks primarily to Brian Landers   and his 
> work.  This is a nice solution that uses LDAP and queries it to build
> an access list with sendmail.

We use MIMEDefang and we make real-time LDAP calls in filter_recipient.
So when a modification to Active Directory is made, it's instant... no
need to wait for the data to be updated on the Sendmail server.

The downside is that you can get a *lot* of LDAP traffic if there's
a dictionary attack.

Regards,

David.

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[Kevin A. McGrail]

On 10/16/2013 3:46 PM, David F. Skoll wrote:

On Wed, 16 Oct 2013 15:41:04 -0400
"Kevin A. McGrail"  wrote:


So in the beginning for our issue, our firm implemented something
similar and it's documented at http://www.pccc.com/downloads/ldap/
thanks primarily to Brian Landers   and his
work.  This is a nice solution that uses LDAP and queries it to build
an access list with sendmail.

We use MIMEDefang and we make real-time LDAP calls in filter_recipient.
So when a modification to Active Directory is made, it's instant... no
need to wait for the data to be updated on the Sendmail server.

The downside is that you can get a *lot* of LDAP traffic if there's
a dictionary attack.

We've done similar real time checks using Sendmail but seen this 
actually bring down Exchange Servers (more like bringing  it to its 
knees from a resource perspective than actually crashing it) from the 
LDAP queries associated with these type of issues.  So I agree the 
instantaneous nature is nice but we switch to the store because the 
volume we could handle with Sendmail was so much higher than what was 
effectively halting Exchange Servers.


This was back in 2007 and revolved around small companies with one 
server so it was bringing down other operations as well.  We wrote about 
it a bit on this page 
https://raptor.pccc.com/raptor.cgim?template=raptorFAST (warning 
commercial site not affiliated with project though it's where I put a 
lot of stuff I'm working on.  I'll open a ticket to add as much as we 
can.  Anyway, please ignore if you aren't interested in my day job).


Regards,
KAM

Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))

[Jason Haar]

On 17/10/13 09:03, Kevin A. McGrail wrote:
> We've done similar real time checks using Sendmail but seen this
> actually bring down Exchange Servers (more like bringing  it to its
> knees from a resource perspective than actually crashing it) from the
> LDAP queries associated with these type of issues.  So I agree the
> instantaneous nature is nice but we switch to the store because the
> volume we could handle with Sendmail was so much higher than what was
> effectively halting Exchange Servers.
>

We saw the same thing, so we have hourly cronjobs dumping the email
addresses out of Active Directory and push the addresses to the edge
Unix mail relays. We find Active Directory LDAP too slow and too
unreliable to rely on for a realtime service. Internally, even our
Windows IT staff do something similar: batch jobs to dump data out via
LDAP so that their actual websites and/or applications can reference
LDAP data without having to talk to what Microsoft thinks passes for an
LDAP server (eg try to figure out all the groups a user is a member of, 
in a multi-forest AD spread across 5 continents - and do it in <1sec  -
go on, I dare ya ;-)




-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1