Re: about fake mails

[mouss]

Yavuz Maslak a écrit :
> Let me explain my problem and goal;
> 
> For instance, a spammer installs a smtp server and he has a tool to send
> his mails. He writes [EMAIL PROTECTED] in  from adress and He sends his
> mails using his smtp server. Namely, he doesn't use gmail's servers. I
> want to give high score for these sort of mails.
> 
> Now I have written a rule according to Jeff and Matus,
> Thanks to both.
> 
>   header __L_ML1   Precedence =~ m{\b(list|bulk)\b}i
>   header __L_ML2   exists:List-Id
>   header __L_ML3   exists:List-Post
>   header __L_ML4   exists:Mailing-List
>   header __L_HAS_SNDR  exists:Sender
>   meta   __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 ||
> __L_HAS_SNDR)
>   header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED]
>   meta L_UNVERIFIED_GMAIL  (!DKIM_VERIFIED && __L_FROM_GMAIL &&
> !__L_VIA_ML)
>   priority L_UNVERIFIED_GMAIL  500
>   scoreL_UNVERIFIED_GMAIL  2.5
>   meta UNVERIFIED_GMAILMISS  (!DKIM_VERIFIED && DKIM_SIGNED &&
> __L_FROM_GMAIL && !__L_VIA_ML)
>   priority UNVERIFIED_GMAILMISS 600
>   scoreUNVERIFIED_GMAILMISS 0.0
> 
> any advances ?
> 

copy the file
http://www.netoyen.net/sa/dkim.cf
to your spamassassin rules directory (the directory where you have
local.cf). This file contains the rules suggested on
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
so that you don't need to copy-paste ;-p

run: spamassassin --lint

if you get an error, then either you or I did something wrong ;-p

you may increase the score of L_NOTVALID_GMAIL (and the like) if you
want, but 2.8 should be enough.

Re: about fake mails

[Yavuz Maslak]

Let me explain my problem and goal;

For instance, a spammer installs a smtp server and he has a tool to send his 
mails. He writes [EMAIL PROTECTED] in  from adress and He sends his mails using 
his smtp server. Namely, he doesn't use gmail's servers. I want to give high 
score for these sort of mails.


Now I have written a rule according to Jeff and Matus,
Thanks to both.

  header __L_ML1   Precedence =~ m{\b(list|bulk)\b}i
  header __L_ML2   exists:List-Id
  header __L_ML3   exists:List-Post
  header __L_ML4   exists:Mailing-List
  header __L_HAS_SNDR  exists:Sender
  meta   __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || 
__L_HAS_SNDR)

  header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED]
  meta L_UNVERIFIED_GMAIL  (!DKIM_VERIFIED && __L_FROM_GMAIL && 
!__L_VIA_ML)

  priority L_UNVERIFIED_GMAIL  500
  scoreL_UNVERIFIED_GMAIL  2.5
  meta UNVERIFIED_GMAILMISS  (!DKIM_VERIFIED && DKIM_SIGNED && 
__L_FROM_GMAIL && !__L_VIA_ML)

  priority UNVERIFIED_GMAILMISS 600
  scoreUNVERIFIED_GMAILMISS 0.0

any advances ?





Yavuz Maslak a écrit :

Ok
I have started to use dkim verification.  I defined whitelists in
local.cf. it works.
But I could not find how I give high score for  a spammer who doesn't
use gmail's mail servers.



The link that I suggested in my previous post contains spamassassin rules.



Although a  domain has domain keys, how can I give positive score for a
mail which comes from a fake smtp server ?



what is a "fake smtp server"? please explain your problem and goal
clearly. It would also help to post a sample spam on pastebin.com.

Re: about fake mails

[mouss]

Yavuz Maslak a écrit :
> Ok
> I have started to use dkim verification.  I defined whitelists in
> local.cf. it works.
> But I could not find how I give high score for  a spammer who doesn't
> use gmail's mail servers.
> 

The link that I suggested in my previous post contains spamassassin rules.


> Although a  domain has domain keys, how can I give positive score for a
> mail which comes from a fake smtp server ?
> 

what is a "fake smtp server"? please explain your problem and goal
clearly. It would also help to post a sample spam on pastebin.com.

Re: about fake mails

[Kai Schaetzl]

Just that most of the spam with a gmail.com sender *is* coming from Gmail 
..

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

RE: about fake mails

[Benny Pedersen]

On Sun, December 7, 2008 15:52, Giampaolo Tomassoni wrote:
> There is no direct way (to my knowledge) to do this.

perldoc Mail::SpamAssassin::Conf see whitelist_auth
perldoc Mail::SpamAssassin::Plugin::DKIM

but okay make a default spam score for DKIM signed mails works :)

and subtract it when its VERIFIED

> You have to apply a positive score to all mail claiming to be
> "From:" a gmail address, then apply a negative score voiding
> the first one to the DKim-verified ones.

i just add negative score when verified here


-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

RE: about fake mails

[Jeff Mincy]

   From: "Giampaolo Tomassoni" <[EMAIL PROTECTED]>
   Date: Sun, 7 Dec 2008 15:52:10 +0100
   
   > -Original Message-
   > From: Yavuz Maslak [mailto:[EMAIL PROTECTED]
   > Sent: Sunday, December 07, 2008 3:02 PM
   > 
   > Ok
   > I have started to use dkim verification.  I defined whitelists in
   > local.cf.
   > it works.
   > But I could not find how I give high score for  a spammer who doesn't
   > use
   > gmail's mail servers.
   > 
   > Although a  domain has domain keys, how can I give positive score for a
   > mail
   > which comes from a fake smtp server ?
   
   There is no direct way (to my knowledge) to do this.
   
   You have to apply a positive score to all mail claiming to be "From:" a
   gmail address, then apply a negative score voiding the first one to the
   DKim-verified ones. 
   
You can write a meta rule for email that claims to be from gmail that
does not have DKIM.  

   # add some penalty points to mail from yahoo and gmail.com which
   # does not carry a valid signature; exempt mail from mailing lists
   header __L_ML1   Precedence =~ m{\b(list|bulk)\b}i
   header __L_ML2   exists:List-Id
   header __L_ML3   exists:List-Post
   header __L_ML4   exists:Mailing-List
   header __L_HAS_SNDR  exists:Sender
   meta   __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || 
__L_HAS_SNDR)
   header __L_FROM_Y1   From:addr =~ [EMAIL PROTECTED]
   header __L_FROM_Y2   From:addr =~ [EMAIL PROTECTED](ar|br|cn|hk|my|sg)$}i
   header __L_FROM_Y3   From:addr =~ [EMAIL PROTECTED](id|in|jp|nz|uk)$}i
   header __L_FROM_Y4   From:addr =~ [EMAIL 
PROTECTED](ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
   meta   __L_FROM_YAHOO (__L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || 
__L_FROM_Y4)
   header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED]
   meta L_UNVERIFIED_YAHOO  (!DKIM_VERIFIED && !DK_VERIFIED && 
__L_FROM_YAHOO && !__L_VIA_ML)
   priority L_UNVERIFIED_YAHOO  500
   scoreL_UNVERIFIED_YAHOO  2.5
   meta L_UNVERIFIED_GMAIL  (!DKIM_VERIFIED && __L_FROM_GMAIL && 
!__L_VIA_ML)
   priority L_UNVERIFIED_GMAIL  500
   scoreL_UNVERIFIED_GMAIL  2.5

I got these rules from this list.  I added !DK_VERIFIED to
L_UNVERIFIED_YAHOO.

-jeff

Re: about fake mails

[Matus UHLAR - fantomas]

> > From: Yavuz Maslak [mailto:[EMAIL PROTECTED]
> > Sent: Sunday, December 07, 2008 3:02 PM

> > But I could not find how I give high score for  a spammer who doesn't
> > use gmail's mail servers.
> > 
> > Although a  domain has domain keys, how can I give positive score for a
> > mail which comes from a fake smtp server ?

On 07.12.08 15:52, Giampaolo Tomassoni wrote:
> There is no direct way (to my knowledge) to do this.
> 
> You have to apply a positive score to all mail claiming to be "From:" a
> gmail address, then apply a negative score voiding the first one to the
> DKim-verified ones. 

I think that giving score that has gmail.com in From address, but is nor
DKIM Verified, should be just enough.

Generally, there should be a meta rule for domains that have sign-all policy
and the mail is not signed, e.g.:

meta DKIM_MISS (DKIM_POLICY_SIGNALL && !DKIM_VERIFIED)
score DKIM_MISS 3.0

and maybe for mail that is signed, but the signature was
meta DKIM_FAIL (DKIM_SIGNED && !DKIM_VERIFIED)
score DKIM_MISS 1.0

... I just guessed those scores, but maybe someone could run mass-check ?

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

RE: about fake mails

[Giampaolo Tomassoni]

> -Original Message-
> From: Yavuz Maslak [mailto:[EMAIL PROTECTED]
> Sent: Sunday, December 07, 2008 3:02 PM
> 
> Ok
> I have started to use dkim verification.  I defined whitelists in
> local.cf.
> it works.
> But I could not find how I give high score for  a spammer who doesn't
> use
> gmail's mail servers.
> 
> Although a  domain has domain keys, how can I give positive score for a
> mail
> which comes from a fake smtp server ?

There is no direct way (to my knowledge) to do this.

You have to apply a positive score to all mail claiming to be "From:" a
gmail address, then apply a negative score voiding the first one to the
DKim-verified ones. 

Giampaolo


> > Yavuz Maslak a écrit :
> >> Sometimes, although anyone don't use domain.com's server, he sends
> many
> >> mails using himself smtp service as if these mails come from
> @domian.com.
> >>
> >> the domain.com may be hotmail.com , gmail.com.
> >>
> >> is there a rule for that so that we can give some score for these
> mails?
> >
> > for gmail, you can use dkim verification. look at the rules in
> > http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
> > you may want to accept non signed gmail mail if it comes from nabble
> or
> > others.
> >
> >
> > for hotmail, there are already rules to catch such forgeries. take a
> look
> > at
> > http://spamassassin.apache.org/tests_3_2_x.html
> >
> > if you have sample false negatives, post them on pastebin.com.
> >

Re: about fake mails

[Yavuz Maslak]

Ok
I have started to use dkim verification.  I defined whitelists in local.cf. 
it works.
But I could not find how I give high score for  a spammer who doesn't use 
gmail's mail servers.


Although a  domain has domain keys, how can I give positive score for a mail 
which comes from a fake smtp server ?




Yavuz Maslak a écrit :

Sometimes, although anyone don't use domain.com's server, he sends many
mails using himself smtp service as if these mails come from @domian.com.

the domain.com may be hotmail.com , gmail.com.

is there a rule for that so that we can give some score for these mails?


for gmail, you can use dkim verification. look at the rules in
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
you may want to accept non signed gmail mail if it comes from nabble or
others.


for hotmail, there are already rules to catch such forgeries. take a look 
at

http://spamassassin.apache.org/tests_3_2_x.html

if you have sample false negatives, post them on pastebin.com.

Re: about fake mails

[Matus UHLAR - fantomas]

On 06.12.08 00:54, Yavuz Maslak wrote:
> Sometimes, although anyone don't use domain.com's server, he sends many
> mails using himself smtp service as if these mails come from @domian.com.
> 
> the domain.com may be hotmail.com , gmail.com. 
> 
> is there a rule for that so that we can give some score for these mails? 

implement SPF and/or DKIM checks at SMTP level.

use SPF and DKIM plugins.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #9: Out of error messages.

Re: about fake mails

[mouss]

Yavuz Maslak a écrit :
> Sometimes, although anyone don't use domain.com's server, he sends many
> mails using himself smtp service as if these mails come from @domian.com.
>  
> the domain.com may be hotmail.com , gmail.com.
>  
> is there a rule for that so that we can give some score for these mails? 

for gmail, you can use dkim verification. look at the rules in
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
you may want to accept non signed gmail mail if it comes from nabble or
others.


for hotmail, there are already rules to catch such forgeries. take a look at
http://spamassassin.apache.org/tests_3_2_x.html

if you have sample false negatives, post them on pastebin.com.