RE: PayPal spam filter?
I just had to weigh in here to say that we have DCC_CHECK scored up to a 4, and all of these kinds of spam messages get caught by that because they always hit at least another 1 point worth of rules. Also, those two rules require plugins, I believe. -Original Message- From: Juerg Reimann [mailto:j...@jworld.ch] Sent: Wednesday, June 26, 2013 6:42 PM To: users@spamassassin.apache.org Cc: 'Benny Pedersen' Subject: RE: PayPal spam filter? Hi Benny Thanks for your tip. Could you elaborate on this a bit? First of all, a rule with the name SPF_DID_NOT_PASS or DKIM_DID_NOT_PASS seem not to exist. How and where would I configure this? Thanks, Juerg -Original Message- From: Benny Pedersen [mailto:m...@junc.eu] Sent: Wednesday, June 12, 2013 9:38 PM To: users@spamassassin.apache.org Subject: Re: PayPal spam filter? Juerg Reimann skrev den 2013-06-12 21:30: Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not? meta SPF_DID_NOT_PASS (!SPF_PASS) simple ? :=) if paypal do use dkim then it could be checked with meta DKIM_DID_NOT_PASS (!DKIM_VALID_AU) phishing emails seldom pass on this 2 tests -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
RE: PayPal spam filter?
Hi Benny Thanks for your tip. Could you elaborate on this a bit? First of all, a rule with the name SPF_DID_NOT_PASS or DKIM_DID_NOT_PASS seem not to exist. How and where would I configure this? Thanks, Juerg -Original Message- From: Benny Pedersen [mailto:m...@junc.eu] Sent: Wednesday, June 12, 2013 9:38 PM To: users@spamassassin.apache.org Subject: Re: PayPal spam filter? Juerg Reimann skrev den 2013-06-12 21:30: Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not? meta SPF_DID_NOT_PASS (!SPF_PASS) simple ? :=) if paypal do use dkim then it could be checked with meta DKIM_DID_NOT_PASS (!DKIM_VALID_AU) phishing emails seldom pass on this 2 tests -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
On 17/06/13 16:14, Benny Pedersen wrote: Jason Haar skrev den 2013-06-17 00:48: That's it - I'm removing SPF... hardfail is for mta, softfails is for spamassassin, if your mta accept hardfail spf, then you self ask for it ?? SA scores hardfails as 0.0 due to the high positive rate. Therefore blocking on SPF hardfails must lead to a high FP rate too? If your organization is willing to live with valid email being bounced, fine - but I'm going to listen to our SA overlords on this one... (...or the SA score is incorrect of course. This thread is a bit of a challange - here we have an example of SA saying one thing, and everyone else [well, 3 people ;)] saying block hardfails on the other. One must be right and the other wrong...?) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: PayPal spam filter?
On Mon, 17 Jun 2013 10:48:34 +1200 Jason Haar wrote: Just a FYI but SA scores failures of ~all much stronger than it does for -all They all score under one point. http://spamassassin.1065346.n5.nabble.com/default-score-for-SPF-HELO-FAIL-too-low-td13894.html That's it - I'm removing SPF... The chief reason for running SPF is authenticated whitelisting.
Re: PayPal spam filter?
On Mon, 2013-06-17 at 18:51 +1200, Jason Haar wrote: On 17/06/13 16:14, Benny Pedersen wrote: Jason Haar skrev den 2013-06-17 00:48: That's it - I'm removing SPF... hardfail is for mta, softfails is for spamassassin, if your mta accept hardfail spf, then you self ask for it ?? SA scores hardfails as 0.0 due to the high positive rate. Therefore blocking on SPF hardfails must lead to a high FP rate too? If your organization is willing to live with valid email being bounced, fine - but I'm going to listen to our SA overlords on this one... My understanding is that the score SA assigns to SPF is irrelevant. SPF's purpose is to prevent backscatter. It does that by giving any site that receives an undeliverable message the means to recognise the forgery: if the sending IP is outside the range published in an '-all' SPF record its definitely a forgery and if its in an '~all' SPF record in might be forged. Its pointless to send a rejection message if the undeliverable message has a forged sender, so most sites don't do that. As a result, you don't get backscatter if a spammer is forging your address as the sender of his spam. SPF isn't, and never was AFAIK, a useful way to recognise spam that is sent directly to you. At least, that is the basis for my use of SPF. I've got almost no backscatter since I set up an SPF record. If it happens to add a small amount to a spam score that's a bonus, but I don't in any way rely on it to flag up spam. Martin (...or the SA score is incorrect of course. This thread is a bit of a challange - here we have an example of SA saying one thing, and everyone else [well, 3 people ;)] saying block hardfails on the other. One must be right and the other wrong...?)
Re: PayPal spam filter?
Just a FYI but SA scores failures of ~all much stronger than it does for -all eg I just deliberately forged an email for my own domain and SA picked up the SPF hard failure and added 0.0 to the final score :-( The logic of the score is well documented, just shows how much SPF doesn't work http://spamassassin.1065346.n5.nabble.com/default-score-for-SPF-HELO-FAIL-too-low-td13894.html That's it - I'm removing SPF... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: PayPal spam filter?
On 06/16/2013 06:48 PM, Jason Haar wrote: Just a FYI but SA scores failures of ~all much stronger than it does for -all eg I just deliberately forged an email for my own domain and SA picked up the SPF hard failure and added 0.0 to the final score :-( The logic of the score is well documented, just shows how much SPF doesn't work http://spamassassin.1065346.n5.nabble.com/default-score-for-SPF-HELO-FAIL-too-low-td13894.html The reasoning is sound. Softfail has a better ham/spam ratio than hardfail. Which is beside the point -- SPF is not a spam filtering mechanism. It prevents HELO/MAIL FROM forgery. If you don't want to accept forgeries (this is independent of what you want to do with spam), reject the hardfails.
Re: PayPal spam filter?
Jason Haar skrev den 2013-06-17 00:48: That's it - I'm removing SPF... hardfail is for mta, softfails is for spamassassin, if your mta accept hardfail spf, then you self ask for it -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
On Fri, 14 Jun 2013 12:38:47 +1200 Jason Haar wrote: On 14/06/13 07:08, Neil Schwartzman wrote: Sure is. Also DMARCed and SPFed too. ;; QUESTION SECTION: ;paypal.com http://paypal.com.INTXT ;; ANSWER SECTION: paypal.com http://paypal.com.7INTXTv=spf1 include:pp._spf.paypal.com http://spf.paypal.com include:3rdparty._spf.paypal.com http://spf.paypal.com include:3rdparty1._spf.paypal.com http://spf.paypal.com include:3rdparty2._spf.paypal.com http://spf.paypal.com include:c._spf.ebay.com http://spf.ebay.com ~all Yeah but notice ~all is not -all. ie they are saying that legitimate Paypal email comes from those specific sources - except when it doesn't It's possible that the domains are also used for the mail of paypal employees. I don't understand why ~all exists at all. It's like a checkbox security feature: oh yeah, our domain uses SPF! IIRC the original intention was that - would be used for outright rejection, and ~ as information for spam filters.
Re: PayPal spam filter?
On Wed, 12 Jun 2013 15:26:29 -0500 (CDT) David B Funk wrote: However this will not hit all the human engineered varients which try to fool people into thinking that they're PayPal (EG: PayPaI) or which have PayPal in the comment field part of the address/URL but have a completely different actual target host. And you need to be a little careful about hitting addresses created to use with paypal that contain paypal. OTOH I think it would be unlikely for paypal to be in name part of the header without it being either from paypal or spam. Perhaps something like: header __PAYPAL_IN_FROMNAMEFrom:name =~ /paypal/i header __ADDRESS_IN_FROMNAME From:name =~ /\@/ header __FUZZY_PAYPAL_FROM From:addr =~ /(?!paypal)p[ao]yp[ao][il1]/i meta FAKE_PAYPAL !USER_IN_DEF_DKIM_WL ( __FUZZY_PAYPAL_FROM || __PAYPAL_IN_FROMNAME !__ADDRESS_IN_FROMNAME )
Re: PayPal spam filter?
On Jun 12, 2013, at 3:37 PM, Daniel McDonald dan.mcdon...@austinenergy.com wrote: I believe Paypal is DKIM signed, Sure is. Also DMARCed and SPFed too. ;; QUESTION SECTION: ;paypal.com.IN TXT ;; ANSWER SECTION: paypal.com. 7 IN TXT v=spf1 include:pp._spf.paypal.com include:3rdparty._spf.paypal.com include:3rdparty1._spf.paypal.com include:3rdparty2._spf.paypal.com include:c._spf.ebay.com ~all ; DiG 9.8.3-P1 _adsp._domainkey.paypal.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2530 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_adsp._domainkey.paypal.com. IN A ;; AUTHORITY SECTION: paypal.com. 60 IN SOA ppns1.phx.paypal.com. hostmaster.paypal.com. 2010186301 7200 900 86400 60 ;; Query time: 35 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jun 13 15:05:47 2013 ;; MSG SIZE rcvd: 102 localhost:durbl spamfighter$ dig _domainkey.paypal.com ; DiG 9.8.3-P1 _domainkey.paypal.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1064 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_domainkey.paypal.com. IN A ;; AUTHORITY SECTION: paypal.com. 60 IN SOA ppns1.phx.paypal.com. hostmaster.paypal.com. 2010186301 7200 900 86400 60 ;; Query time: 35 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jun 13 15:06:27 2013 ;; MSG SIZE rcvd: 96 smime.p7s Description: S/MIME cryptographic signature
Re: PayPal spam filter?
On 14/06/13 07:08, Neil Schwartzman wrote: Sure is. Also DMARCed and SPFed too. ;; QUESTION SECTION: ;paypal.com http://paypal.com.INTXT ;; ANSWER SECTION: paypal.com http://paypal.com.7INTXTv=spf1 include:pp._spf.paypal.com http://spf.paypal.com include:3rdparty._spf.paypal.com http://spf.paypal.com include:3rdparty1._spf.paypal.com http://spf.paypal.com include:3rdparty2._spf.paypal.com http://spf.paypal.com include:c._spf.ebay.com http://spf.ebay.com ~all Yeah but notice ~all is not -all. ie they are saying that legitimate Paypal email comes from those specific sources - except when it doesn't I don't understand why ~all exists at all. It's like a checkbox security feature: oh yeah, our domain uses SPF! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: PayPal spam filter?
Jason Haar skrev den 2013-06-14 02:38: Yeah but notice ~all is not -all. ie they are saying that legitimate Paypal email comes from those specific sources - except when it doesn't if its pass then its paypal, if its softfail then we are unsure is what it means I don't understand why ~all exists at all. It's like a checkbox security feature: oh yeah, our domain uses SPF! is gmail.com better ?, neutral, but spammers here cant send anyway since i use pypolicyd-spf with reject non spf pass domains, remember spf is policy on sender, it does not mean you may accept there policy paypal is #1 phished domain on phishtank, paypal does not care about it :( example i have is that thay use other domain to track there news mails, and the link is to a https page, browsers does always say paypal i need to pay attention -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
PayPal spam filter?
Hi there, Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not? Thanks, Juerg
Re: PayPal spam filter?
Juerg Reimann skrev den 2013-06-12 21:30: Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not? meta SPF_DID_NOT_PASS (!SPF_PASS) simple ? :=) if paypal do use dkim then it could be checked with meta DKIM_DID_NOT_PASS (!DKIM_VALID_AU) phishing emails seldom pass on this 2 tests -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
On 6/12/13 2:30 PM, Juerg Reimann j...@jworld.ch wrote: Hi there, Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not? I believe Paypal is DKIM signed, so it shouldn't be hard to modify these rules for PayPal: header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i header __L_FROM_Y4 From:addr =~ m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4 header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i meta L_UNVERIFIED_YAHOO !DKIM_VALID !DKIM_VALID_AU __L_FROM_YAHOO !__L_VIA_ML priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL !DKIM_VALID !DKIM_VALID_AU __L_FROM_GMAIL !__L_VIA_ML priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: PayPal spam filter?
On Wed, 12 Jun 2013, Daniel McDonald wrote: On 6/12/13 2:30 PM, Juerg Reimann j...@jworld.ch wrote: Hi there, Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not? I believe Paypal is DKIM signed, so it shouldn't be hard to modify these rules for PayPal: header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i header __L_FROM_Y4 From:addr =~ m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4 header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i meta L_UNVERIFIED_YAHOO !DKIM_VALID !DKIM_VALID_AU __L_FROM_YAHOO !__L_VIA_ML priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL !DKIM_VALID !DKIM_VALID_AU __L_FROM_GMAIL !__L_VIA_ML priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 However this will not hit all the human engineered varients which try to fool people into thinking that they're PayPal (EG: PayPaI) or which have PayPal in the comment field part of the address/URL but have a completely different actual target host. You could create rules to try to spot all those varients but it's a catchup game. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: PayPal spam filter?
David B Funk skrev den 2013-06-12 22:26: You could create rules to try to spot all those varients but it's a catchup game. its more easy in clamav, but i have seen paypal emails orginate from paypal ip, but contains there so called analyzin urls, only test that works is if there is https and http links, then its a phish i have seen many phishmails that do this with ancor urls that is https, but the url is just http or even a ip, ssl cant be good on ip hosts -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
On Wed, 2013-06-12 at 21:30 +0200, Juerg Reimann wrote: Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not? I was going to suggest that you could treat anything whose Message-ID doesn't end with 'paypal.com' as spam, but its a bit more complex than that: - if Paypal has an office in the same country as an account holder, the message seems to originate there. A genuine message I examined says its from e.paypal.co.uk and has URIs containing emea.e.paypal.com - the message-id contains @e-dialog.com but its immediately followed by an X-mail-from header containing @emea.e.paypal.com - OTOH all the images and links in the message body are encrypted links to URIs that are recognisably in the PayPal domain. It might be safe to treat it as ham if all the From and Reply-to headers have the same domain name which contains 'paypal', the message-ID ends in '@e-dialog.com' and the X-mail-to X-match headers end in 'paypal.com' and finally all the URIs in the body contain the same paypal-specific partial URI, but its your call. HTH Martin