Re: [sa] Re: How to stop weird "From:" crap?

[Charles Gregory]

On Mon, 12 Jul 2010, Karsten Bräckelmann wrote:

header LOC_WEIRD_FROM From =~ /<[...@\>]*[\^\`\ ]...@\>]*@/
# note: the '[...@\>]*' confines the match to within a local address part

Using From:addr instead is better and more accurate.


Provided the spammer doesn't use more than one address on the From 
header. :)


That RE is more complicate than it needs to, yet might even match the 
real name. From is not From:raw.


From:raw, acording to docs, only prevents decoding of quoted printable 
and base 64 strings, and preserves whitespace. So the RE, as given, looks 
for the angel bracket at the beginning of ALL possible addresses, and 
scans for the undesirable characters. I don't see any unnecessary 
complexity in the RE (except that yes, you could use From:addr and 
eliminate the sections that pin-down address, but I've already explained I 
prefer an RE that captures ALL addresses, not just the first).


As a footnote to OP, these characters ARE 'legal' even though rarely used.
That's why you can't score too high...


But I posted that solution yesterday already. Coming late to the show,
eh? ;)


1) Syadmins New Year's Resolution: I will read all posts before 
responding.


2) Sorry, I got used to seeing so much *discussion* trying to dissect what 
was, to me, an obvious problem that I got fed up with it, and figured no 
one else was posting a rule, so I would


Great minds, and all that? :)

- C

Re: How to stop weird "From:" crap?

[Karsten Bräckelmann]

> header LOC_WEIRD_FROM From =~ /<[...@\>]*[\^\`\ ]...@\>]*@/
> # note: the '[...@\>]*' confines the match to within a local address part

Using From:addr instead is better and more accurate. That RE is more
complicate than it needs to, yet might even match the real name. From is
not From:raw.

But I posted that solution yesterday already. Coming late to the show,
eh? ;)


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to stop weird "From:" crap?

[Charles Gregory]

On Mon, 12 Jul 2010, Michelle Konzack wrote:

From: "Coupon Dept." 


I realize that the spammers will soon recognize that you are filtering 
them, but for the moment, why not score heavily on the 'unusual' 
characters inside these coded addresses?


header LOC_WEIRD_FROM From =~ /<[...@\>]*[\^\`\ ]...@\>]*@/
score LOC_WEIRD_FROM 2
# not too high a score, just enough to tip them over...
# note: the '[...@\>]*' confines the match to within a local address part

- C

Re: How to stop weird "From:" crap?

[Karsten Bräckelmann]

On Mon, 2010-07-12 at 00:52 +0100, Ned Slider wrote:
> On 12/07/10 00:37, Michelle Konzack wrote:
> > > For me, that would be caught by dbl.spamhaus.org as a blacklisted
> > > sender domain during the smtp connection.
> >
> > Is this not included in?
> 
> No, it's a separate list purely for domains, not IPs. SpamAssassin 3.3.1 
> does add support to query dbl.spamhaus.org, but I think it only queries 
> it for URIs.

Indeed. And the latter is exactly the reason, why adding support for
Spamhaus DBL was a heavy-weight change for a micro release.


> I'm see hits against sender domains in dbl.spamhaus.org for IP addresses 
> that aren't yet listed on zen so querying at the smtp level in addition 
> to zen is beneficial.

Just to clarify -- while this is not incorrect, even though the "yet"
might be debatable [1], it easily can be confusing. The "sender domain"
and "IP address" in the previous sentence are not related. Other than
referring to the same spam message. DBL does not list IPs.

Do NOT query DBL for IPs. Never. You will get false positives.

  guenther


[1] PBL is highly unlikely to expand due to spam outbreaks. XBL might,
if the machine is malware infected. SBL of course might, but they
list IPs of pure evil only, suitable for deep-parsing.

-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to stop weird "From:" crap?

[Ned Slider]

On 12/07/10 00:37, Michelle Konzack wrote:

Hello Ned Slider,

Am 2010-07-11 23:38:50, hacktest Du folgendes herunter:

For me, that would be caught by dbl.spamhaus.org as a blacklisted
sender domain during the smtp connection.


Is this not included in?



No, it's a separate list purely for domains, not IPs. SpamAssassin 3.3.1 
does add support to query dbl.spamhaus.org, but I think it only queries 
it for URIs.


To quote Spamhaus:

"The DBL is both a domain URI Blocklist and RHSBL. It is intended 
primarily for message body URI checks but it can additionally be used 
for connection checks at the SMTP level and header domain checks (HELO, 
connecting IP rDNS domain, From & Reply-To domains, Message-ID domain) 
and other checks involving domains."


I'm see hits against sender domains in dbl.spamhaus.org for IP addresses 
that aren't yet listed on zen so querying at the smtp level in addition 
to zen is beneficial.


But as we know, defence in depth, so not to detract from the rules 
Karsten and others are assisting with elsewhere in this thread :-)

Re: How to stop weird "From:" crap?

[Karsten Bräckelmann]

On Mon, 2010-07-12 at 01:37 +0200, Michelle Konzack wrote:
> > For me, that would be caught by dbl.spamhaus.org as a blacklisted
> > sender domain during the smtp connection.
> 
> Is this not included in ?

ZEN lists the handing-over IP (XBL, PBL) or any Received IP for deep-
parsing (SBL). This is not the same as an RHSBL, neither applies at all
to any domain part.

What you snipped was the reference link to DBL, given by Ned. Which
coincidentally should explain DBL, a recent Spamhaus addition...


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to stop weird "From:" crap?

[Michelle Konzack]

Hello Ned Slider,

Am 2010-07-11 23:38:50, hacktest Du folgendes herunter:
> For me, that would be caught by dbl.spamhaus.org as a blacklisted
> sender domain during the smtp connection.

Is this not included in ?

> $ nslookup perezcentral.com.dbl.spamhaus.org
> 
> Non-authoritative answer:
> Name:   perezcentral.com.dbl.spamhaus.org
> Address: 127.0.1.2
> 
> 
> For example, in postfix add to smptd_*_restrictions:
> 
>reject_rhsbl_sender dbl.spamhaus.org
> 
> You can also check the helo and client against dbl.spamhaus.org
> 
>reject_rhsbl_helo dbl.spamhaus.org
>reject_rhsbl_client dbl.spamhaus.org

OK added, I will wait for the next crap coming in...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature

Re: How to stop weird "From:" crap?

[Karsten Bräckelmann]

On Sun, 2010-07-11 at 18:22 -0500, Dave Funk wrote:
> Rough first pass SA rule:
> 
> header T_FROM_CRAP1   From:addr =~ /[`\^:\]\[,?/"]/
   ^   ^  ^
Breaks. You either need to backslash escape the slash inside the RE, or
use alternative match-operator delimiters like m~pattern~. :)


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to stop weird "From:" crap?

[Dave Funk]

On Mon, 12 Jul 2010, Michelle Konzack wrote:


[ STDIN ]---
From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010
Return-Path: 
Delivered-To: linux4miche...@tamay-dogan.net
Received: from erona.perezcentral.com (erona.perezcentral.com 
[:::72.34.111.198])
 by mail.tamay-dogan.net with esmtp; Sun, 11 Jul 2010 17:21:14 +0200
 id 0002BDA9.4C39E16B.1A98
To: linux4miche...@tamay-dogan.net
Date: Sun, 11 Jul 2010 08:20:47 -0700
From: "Coupon Dept." 
Subject: Your Complimentary Coupons
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Message-ID: 
X-TDTools-Procmail: FILTER=FLT_weird_from, TLIST=FLT_weird_from, 
WLIST=FLT_weird_from, COUNT=3





Rough first pass SA rule:

header T_FROM_CRAP1 From:addr =~ /[`\^:\]\[,?/"]/
describe T_FROM_CRAP1   characters we should not see in real from address
score T_FROM_CRAP1  0.1
header T_FROM_CRAP2 From:addr =~ /[...@]*\@[...@]*\@/
describe T_FROM_CRAP2   Real from address should not contain more than one @
score T_FROM_CRAP2  0.1

Untested. Warning could cause false positives. Some of those characters 
-could- be used in legit addresses (EG X400 uses '/') but that's rare.

Test and adjust according to your mail environment.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: How to stop weird "From:" crap?

[Karsten Bräckelmann]

On Mon, 2010-07-12 at 00:06 +0200, Michelle Konzack wrote:
> > On Sun, 11 Jul 2010, Karsten Bräckelmann wrote:
> > > What about providing some raw From: headers then?

> From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010
> Return-Path: 

Err, didn't you say you don't have the Envelope From, and your MTA shows
the same as the mangled From: headers?


> From: "Coupon Dept."  IW^GIdATOn2PbJK_/v...@perezcentral.com>

  header FOO  From:addr =~ m~[/ ]~

Works for me. Just a minimal example rule, in particular leaving out the
pesky backtick, confusing bash parsing the ad-hoc test rule. ;)

  spamassassin -D --cf="header FOO From:addr =~ m~.+~"

shows, that From:addr contains the entire string contained in the angle
brackets. I wonder, where your problems where writing the rule.

Debugging and ad-hoc rule development hint: See the --cf option as used
above. Together with -D, SA will report the matching substring. Then,
just craft a bare-minimum "mail message", containing the stuff you want
to trigger on. Generally, looks like this. Optionally use --cf to
disable AWL and Bayes respectively.

  echo "From: ...\n\n" | spamassassin -D

Hmm, writing this post took much longer than writing the rule... ;)

  guenther


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to stop weird "From:" crap?

[Karsten Bräckelmann]

On Sun, 2010-07-11 at 23:59 +0200, Michelle Konzack wrote:
> > On Sun, 11 Jul 2010, Karsten Bräckelmann wrote:
> > > What about providing some raw From: headers then?

> Cut the serialnumber at the beginning up to the first : and you have it.
> The From: E-Mails are exactly as shown.

Nope.

They are missing the left angle bracket, while the trailing right one is
shown. Moreover, they don't show any real-name part, if any. Thus we
cannot be sure how From, and in particular From:addr, parses these.

Hence me asking for RAW samples.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to stop weird "From:" crap?

[Ned Slider]

On 11/07/10 23:06, Michelle Konzack wrote:

Hello John Hardin,

Am 2010-07-11 08:57:39, hacktest Du folgendes herunter:

On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote:

What about providing some raw From: headers then?

+1  We need to see the headers.


[ STDIN ]---
 From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010
Return-Path:
Delivered-To: linux4miche...@tamay-dogan.net
Received: from erona.perezcentral.com (erona.perezcentral.com 
[:::72.34.111.198])
   by mail.tamay-dogan.net with esmtp; Sun, 11 Jul 2010 17:21:14 +0200
   id 0002BDA9.4C39E16B.1A98
To: linux4miche...@tamay-dogan.net
Date: Sun, 11 Jul 2010 08:20:47 -0700
From: "Coupon Dept."
Subject: Your Complimentary Coupons
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Message-ID:
X-TDTools-Procmail: FILTER=FLT_weird_from, TLIST=FLT_weird_from, 
WLIST=FLT_weird_from, COUNT=3



Thanks, Greetings and nice Day/Evening
 Michelle Konzack



For me, that would be caught by dbl.spamhaus.org as a blacklisted sender 
domain during the smtp connection.


$ nslookup perezcentral.com.dbl.spamhaus.org

Non-authoritative answer:
Name:   perezcentral.com.dbl.spamhaus.org
Address: 127.0.1.2


For example, in postfix add to smptd_*_restrictions:

   reject_rhsbl_sender dbl.spamhaus.org

You can also check the helo and client against dbl.spamhaus.org

   reject_rhsbl_helo dbl.spamhaus.org
   reject_rhsbl_client dbl.spamhaus.org


Ref: http://www.spamhaus.org/dbl/

Re: How to stop weird "From:" crap?

[Michelle Konzack]

Hello John Hardin,

Am 2010-07-11 08:57:39, hacktest Du folgendes herunter:
> On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote:
> >What about providing some raw From: headers then?
> +1  We need to see the headers.

[ STDIN ]---
From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010
Return-Path: 
Delivered-To: linux4miche...@tamay-dogan.net
Received: from erona.perezcentral.com (erona.perezcentral.com 
[:::72.34.111.198])
  by mail.tamay-dogan.net with esmtp; Sun, 11 Jul 2010 17:21:14 +0200
  id 0002BDA9.4C39E16B.1A98
To: linux4miche...@tamay-dogan.net
Date: Sun, 11 Jul 2010 08:20:47 -0700
From: "Coupon Dept." 
Subject: Your Complimentary Coupons
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Message-ID: 
X-TDTools-Procmail: FILTER=FLT_weird_from, TLIST=FLT_weird_from, 
WLIST=FLT_weird_from, COUNT=3



Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature

Re: How to stop weird "From:" crap?

[Michelle Konzack]

Hello John Hardin,

Am 2010-07-11 08:57:39, hacktest Du folgendes herunter:
> On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote:
> >What about providing some raw From: headers then?
> +1  We need to see the headers.

Cut the serialnumber at the beginning up to the first : and you have it.
The From: E-Mails are exactly as shown.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature

Re: How to stop weird "From:" crap?

[John Hardin]

On Sun, 11 Jul 2010, Karsten Br?ckelmann wrote:


On Sun, 2010-07-11 at 17:35 +0200, Michelle Konzack wrote:

Didn't have sufficient caffeine yet, and I am too lazy to go through
that procmail logic in detail -- but looking at the samples, you want to
identify junk chars in the From: header?


Yes

Well, what about a header From rule, maybe even limited to From:addr? 
Or some raw headers, like From:raw or even the hammer ALL pseudo 
header.


I have tried to write one but failed...


What about providing some raw From: headers then?


+1  We need to see the headers.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws aren't enacted to control guns, they are enacted
  to control people: catholics (1500s), japanese peasants (1600s),
  blacks (1860s), italian immigrants (1911), the irish (1920s),
  jews (1930s), blacks (1960s), the poor (always)
---
 5 days until the 65th anniversary of the dawn of the Atomic Age

Re: How to stop weird "From:" crap?

[Karsten Bräckelmann]

On Sun, 2010-07-11 at 17:35 +0200, Michelle Konzack wrote:
> > Didn't have sufficient caffeine yet, and I am too lazy to go through
> > that procmail logic in detail -- but looking at the samples, you want to
> > identify junk chars in the From: header?
> 
> Yes
> 
> > Well, what about a header From rule, maybe even limited to From:addr? Or
> > some raw headers, like From:raw or even the hammer ALL pseudo header.
> 
> I have tried to write one but failed...

What about providing some raw From: headers then?


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to stop weird "From:" crap?

[Michelle Konzack]

Hello Karsten Bräckelmann,

Am 2010-07-11 16:21:49, hacktest Du folgendes herunter:
> Didn't have sufficient caffeine yet, and I am too lazy to go through
> that procmail logic in detail -- but looking at the samples, you want to
> identify junk chars in the From: header?

Yes

> Well, what about a header From rule, maybe even limited to From:addr? Or
> some raw headers, like From:raw or even the hammer ALL pseudo header.

I have tried to write one but failed...

> I assume the Envelope From doesn't look the same, does it? Otherwise,
> you could already have your MX reject them outright.

I do not know WHO has send it, because there are no  other  header  like
"Sender:" or "Envelope-From:" in the messages and the courier logs  show
the same.

Currently I run the check on USER level, but I like to do this check  on
SMTP level using amavis and spamassassin.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature

Re: How to stop weird "From:" crap?

[Karsten Bräckelmann]

On Sun, 2010-07-11 at 12:49 +0200, Michelle Konzack wrote:
> Hello Experts,
> 
> since arround 9 weeks I become bombed on my E-Mails  and
>  by crappy From: spams.  Here  some examples  from  my
> log:
[garbled address samples snipped]

> but I want to do the scanning in spamassassin.
> 
> Any suggestions and ideas?

Didn't have sufficient caffeine yet, and I am too lazy to go through
that procmail logic in detail -- but looking at the samples, you want to
identify junk chars in the From: header?

Well, what about a header From rule, maybe even limited to From:addr? Or
some raw headers, like From:raw or even the hammer ALL pseudo header.


I assume the Envelope From doesn't look the same, does it? Otherwise,
you could already have your MX reject them outright.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}