Re: Spam from addresses where full name mirrors left-hand side of address
On Tue, 3 Apr 2018, RW wrote: On Mon, 2 Apr 2018 11:33:27 -0700 (PDT) John Hardin wrote: On Mon, 2 Apr 2018, Amir Caspi wrote: many organizations -- especially government or other large orgs -- also use firstname.middleinitial.lastname as their user part. So require a minimum length for the middle part: header THREE_WORD_MONTY From =~ /(\w+) (\w{2,}) (\w+) <\1.\2.\3/ A meta rule using multi-dots could work, by either looking for specific keywords or matching with other spammy indicators... but by itself there's no real way to distinguish these AFAICT. I think a meta rule is the only safe way to go, but personally I would _NOT_ use a rule like the one suggested where the quoted part equals the user part, since every firstname.lastname address will get caught that way. Your comment is valid, but the suggested rule requires three parts, so won't hit on firstname.lastname-style mailbox naming. However, since it's looking for periods, it won't hit the dash- and underscore-delimited versions. It looks for . not \. Ah, yes, my mistake. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The world has enough Mouse Clicking System Engineers. -- Dave Pooser --- 10 days until Thomas Jefferson's 275th Birthday
Re: Spam from addresses where full name mirrors left-hand side of address
On Mon, 2 Apr 2018 11:33:27 -0700 (PDT) John Hardin wrote: > On Mon, 2 Apr 2018, Amir Caspi wrote: > > > many organizations -- especially government or other > > large orgs -- also use firstname.middleinitial.lastname as their > > user part. > > So require a minimum length for the middle part: > >header THREE_WORD_MONTY From =~ /(\w+) (\w{2,}) (\w+) <\1.\2.\3/ > > > A meta rule using multi-dots could work, by either looking for > > specific keywords or matching with other spammy indicators... but > > by itself there's no real way to distinguish these AFAICT. I think > > a meta rule is the only safe way to go, but personally I would > > _NOT_ use a rule like the one suggested where the quoted part > > equals the user part, since every firstname.lastname address will > > get caught that way. > > Your comment is valid, but the suggested rule requires three parts, > so won't hit on firstname.lastname-style mailbox naming. > > However, since it's looking for periods, it won't hit the dash- and > underscore-delimited versions. It looks for . not \.
Re: Spam from addresses where full name mirrors left-hand side of address
On Mon, 2 Apr 2018, Amir Caspi wrote: many organizations -- especially government or other large orgs -- also use firstname.middleinitial.lastname as their user part. So require a minimum length for the middle part: header THREE_WORD_MONTY From =~ /(\w+) (\w{2,}) (\w+) <\1.\2.\3/ A meta rule using multi-dots could work, by either looking for specific keywords or matching with other spammy indicators... but by itself there's no real way to distinguish these AFAICT. I think a meta rule is the only safe way to go, but personally I would _NOT_ use a rule like the one suggested where the quoted part equals the user part, since every firstname.lastname address will get caught that way. Your comment is valid, but the suggested rule requires three parts, so won't hit on firstname.lastname-style mailbox naming. However, since it's looking for periods, it won't hit the dash- and underscore-delimited versions. Perhaps: header THREE_WORD_MONTY From =~ /(\w+) (\w{2,}) (\w+)\s+<\1[-._]\2[-._]\3\@/ And maybe a little more flexible to hit the *last three* parts of a 4+ part address: header THREE_WORD_MONTY From =~ /(\w+) (\w{2,}) (\w+)\s+<[^@]*\1[-._]\2[-._]\3\@/ Potentially lots of backtracking there, though. Fortunately the string is not apt to be very long. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When fascism comes to America, it will be wrapped in "Diversity" and demanding "Safe Spaces." -- Mona Charen --- 368 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Spam from addresses where full name mirrors left-hand side of address
On Apr 1, 2018, at 11:33 PM, Rich Waleswrote: > > I do realize some perfectly legitimate "From:" lines conform to this same > pattern, and the only way to really tell the difference may be via AI or a > real human brain. Not just "some" legitimate mail... a LOT of legitimate mail, basically anything that conforms to "FirstName LastName" >. One might think checking for multiple dots would help (as I suggested last week), but many organizations -- especially government or other large orgs -- also use firstname.middleinitial.lastname as their user part. A meta rule using multi-dots could work, by either looking for specific keywords or matching with other spammy indicators... but by itself there's no real way to distinguish these AFAICT. I think a meta rule is the only safe way to go, but personally I would _NOT_ use a rule like the one suggested where the quoted part equals the user part, since every firstname.lastname address will get caught that way. Cheers. --- Amir
Re: Spam from addresses where full name mirrors left-hand side of address
On 2 Apr 2018, at 1:33 (-0400), Rich Wales wrote: [I tried asking this question a couple of days ago, but I've seen no signs that it made it out to the list -- possibly because the sample e-mail addresses I included in my question might have caused it to be flagged as spam. So here goes again, this time with the addresses mangled a bit.] I see a lot of spam with "From:" lines where the left-hand side of the address is essentially the same (modulo punctuation) as the "full name" portion of the address. The right-hand side, on the other hand, is a random gibberish domain. A few examples currently sitting in my local server's spam quarantine (with the addresses edited so they hopefully won't trigger any spam checks): Adding To Human Lifespan "Eliminate Fat Fast" jeanettejtaylor (dot) com> "Home Warranty Special" racerville (dot) com> Smartphone Screen Protector dtqmp (dot) com> Two questions: Is it *technically possible* to create a Spamassassin rule which would match this sort of "From:" line? This (UNTESTED) should do it: header THREE_WORD_MONTY From =~ /(\w+) (\w+) (\w+) <\1.\2.\3/ And assuming it can be done, is it *worthwhile* to do it? Not a clue. Maybe worth a try? -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole
Spam from addresses where full name mirrors left-hand side of address
[I tried asking this question a couple of days ago, but I've seen no signs that it made it out to the list -- possibly because the sample e-mail addresses I included in my question might have caused it to be flagged as spam. So here goes again, this time with the addresses mangled a bit.] I see a lot of spam with "From:" lines where the left-hand side of the address is essentially the same (modulo punctuation) as the "full name" portion of the address. The right-hand side, on the other hand, is a random gibberish domain. A few examples currently sitting in my local server's spam quarantine (with the addresses edited so they hopefully won't trigger any spam checks): Adding To Human Lifespan "Eliminate Fat Fast" "Home Warranty Special" Smartphone Screen Protector Two questions: Is it *technically possible* to create a Spamassassin rule which would match this sort of "From:" line? And assuming it can be done, is it *worthwhile* to do it? I do realize some perfectly legitimate "From:" lines conform to this same pattern, and the only way to really tell the difference may be via AI or a real human brain. -- *Rich Wales* ri...@richw.org