Re: Help with constructing a rule for MCP

[Bowie Bailey]

On 11/21/2011 11:35 AM, John Hardin wrote:
> On Mon, 21 Nov 2011, Bowie Bailey wrote:
>
>> On 11/20/2011 10:02 PM, Sergio wrote:
>>> header   __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
>>> .]+\.com/i
>>> header   __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i
>> These will match any domain that starts with "dh" and ends with ".com".
> You overlooked the "l".

Hmm...  Guess I did...

>
>> For example, they will match "someu...@dhalailama.com".  Is this
>> expected?
> It won't.
>
>> If you just want to match a single character, then get rid of
>> the +.
> It's to match "-usa" or other dhl domain name variants. The line wrap in 
> email makes that look like a single character RE. The actual RE I 
> suggested is:
>
>/envelope-from [^ @]+@dhl[^ .]+\.com/i

The line wrap wasn't an issue.  I just didn't see the "l".  And with
this font, I think I see why I didn't see it the first time.  It blends
in with the square bracket.

> It also won't match "dhl.com". My bad. As I said, it was off the top of my 
> head.
>
> These might be better:
>
>/envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i
>
>/\bdhl(?:[-_][^ .]+)?\.com/i

Do the "@" characters need to be escaped?  In a normal Perl RE they
would, but I'm not sure if SA is treating them any differently since it
is reading them in from a config file.

-- 
Bowie

Re: Help with constructing a rule for MCP

[John Hardin]

On Mon, 21 Nov 2011, Bowie Bailey wrote:


On 11/20/2011 10:02 PM, Sergio wrote:


header   __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header   __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i


These will match any domain that starts with "dh" and ends with ".com".


You overlooked the "l".


For example, they will match "someu...@dhalailama.com".  Is this
expected?


It won't.


If you just want to match a single character, then get rid of
the +.


It's to match "-usa" or other dhl domain name variants. The line wrap in 
email makes that look like a single character RE. The actual RE I 
suggested is:


  /envelope-from [^ @]+@dhl[^ .]+\.com/i

It also won't match "dhl.com". My bad. As I said, it was off the top of my 
head.


These might be better:

  /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i

  /\bdhl(?:[-_][^ .]+)?\.com/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Mine eyes have seen the horror of the voting of the horde;
  They've looted the fromagerie where guv'ment cheese is stored;
  If war's not won before the break they grow so quickly bored;
  Their vote counts as much as yours.  -- Tam
---
 348 days since the first successful private orbital launch (SpaceX)

Re: Help with constructing a rule for MCP

[Bowie Bailey]

On 11/20/2011 10:02 PM, Sergio wrote:
>
> header   __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
> .]+\.com/i
> header   __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i

These will match any domain that starts with "dh" and ends with ".com". 
For example, they will match "someu...@dhalailama.com".  Is this
expected?  If you just want to match a single character, then get rid of
the +.

header   __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^ .]\.com/i
header   __FROM_DHLFrom =~ /\bdhl[^ .]\.com/i

-- 
Bowie

Re: Help with constructing a rule for MCP

[Sergio]

Thank you John,
it was a typo in my email, in my server I wrote the score name the same as
the meta name, the rule in my server is:

header   __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header   __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i
header   __ENV_FROM_UPSReceived =~ /envelope-from [^ @]+@ups\.com/i
header   __FROM_UPSFrom =~ /\bups\.com/i
meta DHL_UPS_MISMATCH  (__ENV_FROM_DHL && __FROM_UPS) ||
(__ENV_FROM_UPS && __FROM_DHL)
describe DHL_UPS_MISMATCH  Correo con virus DHL-USA o UPS
scoreDHL_UPS_MISMATCH  11

Regards,

Sergio


On Sun, Nov 20, 2011 at 11:33 AM, John Hardin  wrote:

> On Sat, 19 Nov 2011, Sergio wrote:
>
>  meta DHL_UPS_MISMATCH  (__ENV_FROM_DHL && __FROM_UPS) ||
>> (__ENV_FROM_UPS && __FROM_DHL)
>> scoreVIRUS_DHLTOTAL11
>>
>
> Fix the name on the score.
>
>
> --
>  John Hardin KA7OHZ
> http://www.impsec.org/~**jhardin/
>  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> --**--**
> ---
>  North Korea: the only country in the world where people would risk
>  execution to flee to communist China.  -- Ride Fast
> --**--**
> ---
>  347 days since the first successful private orbital launch (SpaceX)
>

Re: Help with constructing a rule for MCP

[John Hardin]

On Sat, 19 Nov 2011, Sergio wrote:


meta DHL_UPS_MISMATCH  (__ENV_FROM_DHL && __FROM_UPS) || (__ENV_FROM_UPS && 
__FROM_DHL)
scoreVIRUS_DHLTOTAL11


Fix the name on the score.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  North Korea: the only country in the world where people would risk
  execution to flee to communist China.  -- Ride Fast
---
 347 days since the first successful private orbital launch (SpaceX)

Re: Help with constructing a rule for MCP

[Sergio]

Jhon,
thanks a lot for your suggestions I will apply them in my rule, thanks!.

Just a little bit more information about this emails, here is another
header where I got the CommuniGate Pro SMTP 5.2.3:

***
Received: from [81.145.136.213] (helo=dhl-usa.com)
 by MY SERVER IP with smtp (Exim 4.69)
 (envelope-from )
 id 1RQvs4-0006uH-Do
 for MY CUSTOMER EMAIL; Thu, 17 Nov 2011 00:54:54 -0600
Received: from [53.166.161.121] (account charlescv...@dhl-usa.com HELO
msrertiksp.dxnbmrblb.com)
 by (CommuniGate Pro SMTP 5.2.3)
 with ESMTPA id 144361206 for ; Thu, 17 Nov 2011
06:54:57 +
From: UPS Support 
To: 
Subject: UPS Delivery Notification TrackNum 73-2868202-M56DIEQ
Date: Thu, 17 Nov 2011 06:54:57 +
Message-ID: <0199874162.asz95ik6314...@wrfgijnsf.ozyaj.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_000E_01CCA4F5.D1299D90"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2741.2600
Importance: Normal
***

Right now I have set this two rules:

header   __VIRUS_DHL1  FROM =~ /\b(?dhl-usa|ups)\.com/i
header   __VIRUS_DHL2  ALL =~ /CommuniGate Pro SMTP 5.2.3/i
meta VIRUS_DHLTOTAL(__VIRUS_DHL1 && __VIRUS_DHL2)
describe VIRUS_DHLTOTALCorreo con virus de DHL-USA
scoreVIRUS_DHLTOTAL11

header   __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header   __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i
header   __ENV_FROM_UPSReceived =~ /envelope-from [^ @]+@ups\.com/i
header   __FROM_UPSFrom =~ /\bups\.com/i
meta DHL_UPS_MISMATCH  (__ENV_FROM_DHL && __FROM_UPS) ||
(__ENV_FROM_UPS && __FROM_DHL)
scoreVIRUS_DHLTOTAL11

Once again, thank you for helping me.

Best Regards,

Sergio Cabrera


On Sat, Nov 19, 2011 at 1:27 PM, John Hardin  wrote:

> On Sat, 19 Nov 2011, Sergio wrote:
>
>  this is one header of the emails that I received:
>>
>> *
>> Received: from 
>> 90.red-217-126-251.staticip.**rima-tde.net([217.126.251.90])
>>by MY-SERVER with smtp (Exim 4.69)
>>(envelope-from )
>>id 1RQNQZ-0002Q1-QD
>>for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600
>> Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
>>by 
>> 90.Red-217-126-251.staticIP.**rima-tde.netwith
>>  esmtpa (Exim 4.69)
>>(envelope-from )
>>id 1MMQJ8-3051eb-TY
>>for ; Tue, 15 Nov 2011 19:08:13 +0100
>> Message-ID: <1232210117.3Q65WY5I448622@**azbvbczcdgxeoq.mqfphqgytobofv.**
>> com <1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com>>
>> From: UPS Support 
>> To: 
>> Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
>> Date: Tue, 15 Nov 2011 19:08:13 +0100
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed;
>> boundary="=_NextPart_000_**0006_01CCA3C9.EBFEF390"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
>> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
>> *
>>
>
> Your rules:
>
>
>header   __VIRUS_DHL1FROM =~ /dhl-usa.com/i
>header   __VIRUS_DHL2ALL =~ /CommuniGate Pro SMTP 5.2.3/i
>
> __VIRUS_DHL1 won't hit on this, it's from UPS.COM. Perhaps:
>
>header   __VIRUS_DHL1FROM =~ /\b(?dhl-usa|ups)\.com/i
>
> No "CommuniGate Pro", so _that_ won't hit on this.
>
> I note that the envelope-from _is_ dhl-usa.com; Are DHL and UPS
> affiliated? If not, and if that appears regularly, then perhaps this (off
> the top of my head, untested) would help:
>
>  header  __ENV_FROM_DHL  Received =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i
>  header  __FROM_DHL  From =~ /\bdhl[^ .]+\.com/i
>
>  header  __ENV_FROM_UPS  Received =~ /envelope-from [^ @]+@ups\.com/i
>  header  __FROM_UPS  From =~ /\bups\.com/i
>
>  metaDHL_UPS_MISMATCH  (__ENV_FROM_DHL && __FROM_UPS) ||
> (__ENV_FROM_UPS && __FROM_DHL)
>
>
> --
>  John Hardin KA7OHZ
> http://www.impsec.org/~**jhardin/
>  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> --**--**
> ---
>  Microsoft is not a standards body.
>
> --**--**
> ---
>  346 days since the first successful private orbital launch (SpaceX)
>

Re: Help with constructing a rule for MCP

[John Hardin]

On Sat, 19 Nov 2011, Sergio wrote:


this is one header of the emails that I received:

***
Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90])
by MY-SERVER with smtp (Exim 4.69)
(envelope-from )
id 1RQNQZ-0002Q1-QD
for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600
Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69)
(envelope-from )
id 1MMQJ8-3051eb-TY
for ; Tue, 15 Nov 2011 19:08:13 +0100
Message-ID: <1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com>
From: UPS Support 
To: 
Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
Date: Tue, 15 Nov 2011 19:08:13 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0006_01CCA3C9.EBFEF390"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
***


Your rules:

header   __VIRUS_DHL1FROM =~ /dhl-usa.com/i
header   __VIRUS_DHL2ALL =~ /CommuniGate Pro SMTP 5.2.3/i

__VIRUS_DHL1 won't hit on this, it's from UPS.COM. Perhaps:

header   __VIRUS_DHL1FROM =~ /\b(?dhl-usa|ups)\.com/i

No "CommuniGate Pro", so _that_ won't hit on this.

I note that the envelope-from _is_ dhl-usa.com; Are DHL and UPS 
affiliated? If not, and if that appears regularly, then perhaps this (off 
the top of my head, untested) would help:


  header  __ENV_FROM_DHL  Received =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i
  header  __FROM_DHL  From =~ /\bdhl[^ .]+\.com/i

  header  __ENV_FROM_UPS  Received =~ /envelope-from [^ @]+@ups\.com/i
  header  __FROM_UPS  From =~ /\bups\.com/i

  metaDHL_UPS_MISMATCH  (__ENV_FROM_DHL && __FROM_UPS) || (__ENV_FROM_UPS 
&& __FROM_DHL)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Microsoft is not a standards body.
---
 346 days since the first successful private orbital launch (SpaceX)

Re: Help with constructing a rule for MCP

[Sergio]

I finally make my MCP rule like this:

header   __VIRUS_DHL1FROM =~ /dhl-usa.com/i
header   __VIRUS_DHL2ALL =~ /CommuniGate Pro SMTP 5.2.3/i
meta VIRUS_DHLTOTAL(__VIRUS_DHL1 && __VIRUS_DHL2)
describe VIRUS_DHLTOTALCorreo con virus de DHL-USA
scoreVIRUS_DHLTOTAL11

One more option that I will like to add, for this rule to check is for
attachments, where do I look for the attachment file, it is in the body?

Once again, thank you.

Sergio

On Sat, Nov 19, 2011 at 10:45 AM, Sergio  wrote:

> RW,
> Now I understand why it gave a 1 point when I declared 11 on the score,
> lol.
>
> I was trying to follow the spamassassin tutorial and saw the example, it
> shows the two underscore but never said that they are kind of mandatory,
> thanks a lot for pointing this out.
>
> John Harding,
> this is one header of the emails that I received:
>
> ***
> Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90])
>  by MY-SERVER with smtp (Exim 4.69)
>  (envelope-from )
>  id 1RQNQZ-0002Q1-QD
>  for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600
> Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
>  by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69)
>  (envelope-from )
>  id 1MMQJ8-3051eb-TY
>  for ; Tue, 15 Nov 2011 19:08:13 +0100
> Message-ID: <1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com>
> From: UPS Support 
> To: 
> Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
> Date: Tue, 15 Nov 2011 19:08:13 +0100
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="=_NextPart_000_0006_01CCA3C9.EBFEF390"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
> ***
>
> Thanks a lot for your kind answers.
>
> Best Regards,
>
> Sergio Cabrera
>
>
> On Sat, Nov 19, 2011 at 8:18 AM, RW  wrote:
>
>> On Sat, 19 Nov 2011 05:42:43 -0600
>> Sergio wrote:
>>
>>
>>
>> > header VIRUS_DHL2  ALL =~ /text inside the email to check for/i
>>
>> This looks for the text in all of the headers. If you meant to look in
>> the body, then you want:
>>
>> body  VIRUS_DHL2  /text inside the email to check for/i
>>
>> You should also consider naming the sub-rules with two leading
>> underscore (like __VIRUS_DHL2), or explicitly score them, to prevent
>> then having a one point default score.
>>
>
>

Re: Help with constructing a rule for MCP

[Sergio]

RW,
Now I understand why it gave a 1 point when I declared 11 on the score, lol.

I was trying to follow the spamassassin tutorial and saw the example, it
shows the two underscore but never said that they are kind of mandatory,
thanks a lot for pointing this out.

John Harding,
this is one header of the emails that I received:

***
Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90])
 by MY-SERVER with smtp (Exim 4.69)
 (envelope-from )
 id 1RQNQZ-0002Q1-QD
 for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600
Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
 by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69)
 (envelope-from )
 id 1MMQJ8-3051eb-TY
 for ; Tue, 15 Nov 2011 19:08:13 +0100
Message-ID: <1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com>
From: UPS Support 
To: 
Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
Date: Tue, 15 Nov 2011 19:08:13 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0006_01CCA3C9.EBFEF390"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
***

Thanks a lot for your kind answers.

Best Regards,

Sergio Cabrera

On Sat, Nov 19, 2011 at 8:18 AM, RW  wrote:

> On Sat, 19 Nov 2011 05:42:43 -0600
> Sergio wrote:
>
>
>
> > header VIRUS_DHL2  ALL =~ /text inside the email to check for/i
>
> This looks for the text in all of the headers. If you meant to look in
> the body, then you want:
>
> body  VIRUS_DHL2  /text inside the email to check for/i
>
> You should also consider naming the sub-rules with two leading
> underscore (like __VIRUS_DHL2), or explicitly score them, to prevent
> then having a one point default score.
>

Re: Help with constructing a rule for MCP

[RW]

On Sat, 19 Nov 2011 05:42:43 -0600
Sergio wrote:



> header VIRUS_DHL2  ALL =~ /text inside the email to check for/i 

This looks for the text in all of the headers. If you meant to look in
the body, then you want:

body  VIRUS_DHL2  /text inside the email to check for/i

You should also consider naming the sub-rules with two leading
underscore (like __VIRUS_DHL2), or explicitly score them, to prevent
then having a one point default score.

Re: Help with constructing a rule for MCP

[John Hardin]

On Sat, 19 Nov 2011, Sergio wrote:


I am new to the list and want thank you in advance if you help me on this.

I am creating the following rule:

header   VIRUS_DHL1FROM =~ /dhl-usa.com/i
header   VIRUS_DHL2ALL =~ /text inside the email to check for/i
meta VIRUS_DHLTOTAL(VIRUS_DHL1 && VIRUS_DHL2)
describe VIRUS_DHLTOTALDHL-USA Virus
scoreVIRUS_DHLTOTAL11

But the rule is not working fine. Any idea what is the error with this
rule?


Please post a sample message with all headers intact to a pastebin so we 
can see it.


Note that poison-pill rules are generally discouraged.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  There is no better measure of the unthinking contempt of the
  environmentalist movement for civilization than their call to turn
  off the lights and sit in the dark. -- Sultan Knish
---
 346 days since the first successful private orbital launch (SpaceX)

Re: Help with constructing a rule for MCP

[Sergio]

> Hi all,
> I am new to the list and want thank you in advance if you help me on this.
>
> I am creating the following rule:
>
> header   VIRUS_DHL1FROM =~ /dhl-usa.com/i
> header   VIRUS_DHL2ALL =~ /text inside the email to check for/i
> meta VIRUS_DHLTOTAL(VIRUS_DHL1 && VIRUS_DHL2)
> describe VIRUS_DHLTOTALDHL-USA Virus
> scoreVIRUS_DHLTOTAL11
>
> But the rule is not working fine. Any idea what is the error with this
> rule?
>
> By the way, if you wonder if my antivirus has stopped this, yes it has
> stopped all the emails that comes with the exe file attached to the email,
> but there was a lot of them that didn't come with the EXE file and for that
> is why I am creating this rule.
>
> Best Regards,
>
> Sergio Cabrera
>