Problem with Spam E-Mails with just an URL

2014-05-11 Thread Luca Bertoncello 
Hi!

Since some days I receive a huge amount of E-Mail like this:

Hey!
http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344opjrep=9504

Of course, it's not enough for a baysian test.
The report is just:

* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider *
([at]gmx.net)
* -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz
* 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS

Could someone help me to write a rule to block these E-Mails?

Thanks a lot
Luca Bertoncello
(lucab...@lucabert.de)

Re: Problem with Spam E-Mails with just an URL

2014-05-11 Thread Axb 

On 05/11/2014 11:11 AM, Luca Bertoncello wrote:

Hi!

Since some days I receive a huge amount of E-Mail like this:

Hey!
http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344opjrep=9504

Of course, it's not enough for a baysian test.
The report is just:

* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider *
([at]gmx.net)
* -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz
* 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS

Could someone help me to write a rule to block these E-Mails?



your like this isn't very helpful - suggest you put a sample on pastebin

Re: Problem with Spam E-Mails with just an URL

2014-05-11 Thread Luca Bertoncello 
Axb axb.li...@gmail.com schrieb:

 On 05/11/2014 11:11 AM, Luca Bertoncello wrote:
  Hi!
 
  Since some days I receive a huge amount of E-Mail like this:
 
  Hey!
  http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344opjrep=9504
 
  Of course, it's not enough for a baysian test.
  The report is just:
 
  * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
  * ([at]gmx.net)
  * -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz
  * 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS
 
  Could someone help me to write a rule to block these E-Mails?
 
 
 your like this isn't very helpful - suggest you put a sample on pastebin
 

In the E-Mail there was nothing other than that...

Regards
Luca Bertoncello
(lucab...@lucabert.de)

Re: Problem with Spam E-Mails with just an URL

2014-05-11 Thread Benny Pedersen 

Luca Bertoncello skrev den 2014-05-11 11:11:

http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344opjrep=9504
Could someone help me to write a rule to block these E-Mails?


sure:

meta SPF_FREEMAIL_RDNS (FREEMAIL_FROM  SPF_PASS  RDNS_NONE)

score it so it get over 5, but under 10

and lastly train it with sa-learn --spam for all that spamming emails

or another variant:

meta SPF_NOT_WHITELISTED_RDNS (!USER_IN_SPF_WHITELIST  RDNS_NONE)

spammers can sure get spf pass, but you still self need to whitelist if 
thay do not spam, rules here is untested, but i think you can use it to 
build on

Re: Problem with Spam E-Mails with just an URL

2014-05-11 Thread Benny Pedersen 

Axb skrev den 2014-05-11 11:47:


http://taxi-gruz.nichost.ru/search_bing.html?


bing search, bingo

your like this isn't very helpful - suggest you put a sample on 
pastebin


url redirector

Re: Problem with Spam E-Mails with just an URL

2014-05-11 Thread Benny Pedersen 

Luca Bertoncello skrev den 2014-05-11 15:51:

http://taxi-gruz.nichost.ru

In the E-Mail there was nothing other than that...


add that host to /etc/hosts so it resolves to 127.0.0.1 or even better 
make a clamav signature for this host, or add it to squidguard, 
solutions come from beeating the tree :)


/etc/hosts is when one using dnsmasq, if using bind9 rpz its more simple

only spammers use redirectors

Re: Problem with Spam E-Mails with just an URL

2014-05-11 Thread Karsten Bräckelmann 
On Sun, 2014-05-11 at 11:11 +0200, Luca Bertoncello wrote:
 Of course, it's not enough for a baysian test.
 The report is just:
 
 *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 * -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz
 *  1.2 RDNS_NONE Delivered to internal network by a host with no rDNS

No matter how short a mail is, that is NOT the reason for no Bayes. SA
does use its Bayesian classifier on any mail regardless of length. Even
a short body text is sufficient. Plus, Bayes actually uses a lot more
sources than the plain body -- user visible headers, as well as commonly
invisible headers.

That snippet shows absolutely no BAYES_* rule hit. Which suggests it is
either disabled, or not (yet) functional due to insufficient training.


 Could someone help me to write a rule to block these E-Mails?

SA does not block...

As for help with rules, also see the other sub-thread. We need a full
sample -- including the X-Spam headers.


-- 
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Problem with Spam E-Mails with just an URL

2014-05-11 Thread Karsten Bräckelmann 
On Sun, 2014-05-11 at 15:51 +0200, Luca Bertoncello wrote:
 Axb axb.li...@gmail.com schrieb:

  your like this isn't very helpful - suggest you put a sample on pastebin
 
 In the E-Mail there was nothing other than that...

There are a lot of mail headers with potentially important information.
And there might be MIME parts not obviously visible.

Provide a sample on pastebin implies providing a RAW sample, including
full headers and MIME structure.


-- 
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}