Problem with Spam E-Mails with just an URL
Hi! Since some days I receive a huge amount of E-Mail like this: Hey! http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344opjrep=9504 Of course, it's not enough for a baysian test. The report is just: * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * ([at]gmx.net) * -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz * 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS Could someone help me to write a rule to block these E-Mails? Thanks a lot Luca Bertoncello (lucab...@lucabert.de)
Re: Problem with Spam E-Mails with just an URL
On 05/11/2014 11:11 AM, Luca Bertoncello wrote: Hi! Since some days I receive a huge amount of E-Mail like this: Hey! http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344opjrep=9504 Of course, it's not enough for a baysian test. The report is just: * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * ([at]gmx.net) * -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz * 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS Could someone help me to write a rule to block these E-Mails? your like this isn't very helpful - suggest you put a sample on pastebin
Re: Problem with Spam E-Mails with just an URL
Axb axb.li...@gmail.com schrieb: On 05/11/2014 11:11 AM, Luca Bertoncello wrote: Hi! Since some days I receive a huge amount of E-Mail like this: Hey! http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344opjrep=9504 Of course, it's not enough for a baysian test. The report is just: * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * ([at]gmx.net) * -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz * 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS Could someone help me to write a rule to block these E-Mails? your like this isn't very helpful - suggest you put a sample on pastebin In the E-Mail there was nothing other than that... Regards Luca Bertoncello (lucab...@lucabert.de)
Re: Problem with Spam E-Mails with just an URL
Luca Bertoncello skrev den 2014-05-11 11:11: http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344opjrep=9504 Could someone help me to write a rule to block these E-Mails? sure: meta SPF_FREEMAIL_RDNS (FREEMAIL_FROM SPF_PASS RDNS_NONE) score it so it get over 5, but under 10 and lastly train it with sa-learn --spam for all that spamming emails or another variant: meta SPF_NOT_WHITELISTED_RDNS (!USER_IN_SPF_WHITELIST RDNS_NONE) spammers can sure get spf pass, but you still self need to whitelist if thay do not spam, rules here is untested, but i think you can use it to build on
Re: Problem with Spam E-Mails with just an URL
Axb skrev den 2014-05-11 11:47: http://taxi-gruz.nichost.ru/search_bing.html? bing search, bingo your like this isn't very helpful - suggest you put a sample on pastebin url redirector
Re: Problem with Spam E-Mails with just an URL
Luca Bertoncello skrev den 2014-05-11 15:51: http://taxi-gruz.nichost.ru In the E-Mail there was nothing other than that... add that host to /etc/hosts so it resolves to 127.0.0.1 or even better make a clamav signature for this host, or add it to squidguard, solutions come from beeating the tree :) /etc/hosts is when one using dnsmasq, if using bind9 rpz its more simple only spammers use redirectors
Re: Problem with Spam E-Mails with just an URL
On Sun, 2014-05-11 at 11:11 +0200, Luca Bertoncello wrote: Of course, it's not enough for a baysian test. The report is just: * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz * 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS No matter how short a mail is, that is NOT the reason for no Bayes. SA does use its Bayesian classifier on any mail regardless of length. Even a short body text is sufficient. Plus, Bayes actually uses a lot more sources than the plain body -- user visible headers, as well as commonly invisible headers. That snippet shows absolutely no BAYES_* rule hit. Which suggests it is either disabled, or not (yet) functional due to insufficient training. Could someone help me to write a rule to block these E-Mails? SA does not block... As for help with rules, also see the other sub-thread. We need a full sample -- including the X-Spam headers. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Problem with Spam E-Mails with just an URL
On Sun, 2014-05-11 at 15:51 +0200, Luca Bertoncello wrote: Axb axb.li...@gmail.com schrieb: your like this isn't very helpful - suggest you put a sample on pastebin In the E-Mail there was nothing other than that... There are a lot of mail headers with potentially important information. And there might be MIME parts not obviously visible. Provide a sample on pastebin implies providing a RAW sample, including full headers and MIME structure. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}