Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?

2021-03-28 Thread John Hardin 

On Sun, 28 Mar 2021, Steve Dondley wrote:

So what's the giveaway that this is spam and what rule can I add to get SA to 
recognize it as such? And what is the best way for me to learn how to analyze 
the headers so I can recognize spam myself? Any good tutorials for this?


The obfuscated "xfinity" in the From header is what caught my eye:


54 From: "x-flnltycomcastvoicemail_ref.no01...@comcast.net"
55  


If you keep seeing such, then a FUZZY_XFINITY_FM rule might be worthwhile.

Unfortunately it was sent via Comcast MTAs so SPF/DKIM aren't helpful 
here to detect spoofing.


A From header address rule for "comcastvoicemail" might be useful as well, 
depending on whether or not you get legitimate voicemail announcements 
from Comcast and what they look like.



78  - This mail is in HTML. Some elements may be ommited in plain text. -


Spelling and grammar errors potentially give Bayes something to work with. 
Feed the message to Bayes as spam.



107 Content-Type: application/octet-stream;
108 name="Mar-28 Voicemail.eml"


That filename looks suspicious. .eml is an attachment generally used for 
mailbox-format email message attachments. Why would a voicemail be 
delivered in that format?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...if the government does not trust me to own firearms,
  why or how can the people be expected to trust the government?
-- Theodore Haas, Dachau survivor
---
 4 days until April Fools' day

Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?

2021-03-28 Thread Matthias Leisi 
> 
> 15 X-Spam-Status: No, score=-2.7 required=4.0 tests=BAYES_50,DKIM_SIGNED,
> 16 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,INVALID_MSGID,
> 17 MSGID_FROM_MTA_HEADER,OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_HI,
> 18 RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
> 19 autolearn_force=no version=3.4.2

It’s not immediately obvious which IP should hit RCVD_IN_DNSWL_HI. None of the 
IPs mentioned are on that level at dnswl.org  (and I assume 
also not in the mailspike data).

— Matthias

Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?

2021-03-28 Thread Greg Troxel 

(You got other good advice; I'll try to avoid being redundant.)

This looks like it really came from comcast's servers, but it's hard to
read headers that have been miswrapped.

I tend to tweak up scores of rules that fire on spam that slips through,
and tweak down scores of rules that misfire on ham.

I would recommend running spamassassin -t on this to see what points are
from what rules; the passing score doesn't show this but if you use -t
you'll see it all at the end.

RCVD_IN_DNSWL_HI really seems strange.  Perhaps comcast has separate IP
blocks for mail from them, and mail from customers (verizon for example,
back when they did customer mail, had verizon.com and verizon.net, which
I suspect had separate MTAs).  I really don't understand DNSWL listing
criteria for HI, but to me that should indicated that there is a
vanishly small chance of spam, and that more or less means only
company-originated mail, and definitely not mail sent by random
customers some of whom might have compromised accounts.

So I would look to moderate the negative score from DNSWL_HIGH, as you
have a counterexample to the ham-only theory.


signature.asc
Description: PGP signature

Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?

2021-03-28 Thread Matus UHLAR - fantomas 

On 28.03.21 12:01, Steve Dondley wrote:

The email below slipped through my spam filter.

It has malicious content attached which purports to be a voicemail 
from comcast (I've snipped the attachment from the example) but it is 
actually a phishing attack. The attachment contains a link that goes 
to a web page at an obscure domain that prompts you to log into your 
comcast account.


As you can see by the headers, this email was well-trusted by SA with 
a score of -2.7.


I don't think I can rely much on bayes filtering for these kinds of 
emails since the body has so little text (or do I make a bad 
assumption here?). And to my untrained eye, the only thing that looks 
suspicious is line 40 which says: "smtprelay.hostedemail.com".


So what's the giveaway that this is spam and what rule can I add to 
get SA to recognize it as such? And what is the best way for me to 
learn how to analyze the headers so I can recognize spam myself? Any 
good tutorials for this?


- BAYES_50 means BAYES filter didn't decide.  You can train  it by deefing it
into "spamassassin -r"

- RCVD_IN_DNSWL_HI and RCVD_IN_MSPIKE_H2 are both whitelists.
That means that senging IP is in two separate whitelists.

probably you could forward it into ab...@comcast.net for them to handle
that.  otherwise you can manually change scores for them  (looks like score
RCVD_IN_MSPIKE_H2 was already decreased from what I remember)

- INVALID_MSGID, MSGID_FROM_MTA_HEADER and OBFU_TEXT_ATTACH are spam signs.
this shows that the mail was really messed up


 1 Return-Path: 
 2 Delivered-To: catch...@example.org
 3 Received: from email.example.org
 4 by email.example.org with LMTP
 5 id EkqVDIVdYGCceQAAW5pcLQ
 6 (envelope-from 
)

 7 for ; Sun, 28 Mar 2021 06:42:13 -0400
 8 Received: by email.example.org (Postfix, from userid 115)
 9 id 2489422533; Sun, 28 Mar 2021 06:42:13 -0400 (EDT)
10 Authentication-Results: email.example.org;
11 dkim=pass (2048-bit key; secure) header.d=comcast.net 
header.i=@comcast.net header.b="PSvQlJTc";

12 dkim-atps=neutral
13 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on 
email.example.org

14 X-Spam-Level:
15 X-Spam-Status: No, score=-2.7 required=4.0 
tests=BAYES_50,DKIM_SIGNED,
16 
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,INVALID_MSGID,

17 MSGID_FROM_MTA_HEADER,OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_HI,
18 RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS 
autolearn=unavailable

19 autolearn_force=no version=3.4.2
20 Received-SPF: Pass (mailfrom) identity=mailfrom; 
client-ip=96.114.154.164; helo=resqmta-po-05v.sys.comcast.net; 
envelope-from=x-flnltycomcastvoicemail_ref.no01...@comcast.net; 
receiver=
21 Received: from resqmta-po-05v.sys.comcast.net 
(resqmta-po-05v.sys.comcast.net [96.114.154.164])
22 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
(256/256 bits))

23 (No client certificate requested)
24 by email.example.org (Postfix) with ESMTPS id F22E6215BD
25 for ; Sun, 28 Mar 2021 06:42:11 -0400 
(EDT)

26 Received: from resimta-po-42v.sys.comcast.net ([96.114.154.212])
27 by resqmta-po-05v.sys.comcast.net with ESMTP
28 id QSrxlUJdvoWleQSrxlMdfB; Sun, 28 Mar 2021 10:42:09 +
29 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
30 s=20190202a; t=1616928129;
31 bh=vkwV5ud3feChWZLQsYrnwAqC5q/gOtq5c2+sZwvKGUI=;
32 
h=Received:Received:Message-ID:Received:Received:From:Subject:To:

33  Content-Type:MIME-Version:Date;
34 
b=PSvQlJTcBWsdJnqw5X2ghcFhFC/KDs9orh5uzVOpepDAf2rxUTc3bG03diY25hkLB
35  
fKraMiHrMsG0UjujPtZPBZ10Wvs+b/pCliySBbDhG4hPak0kJwkoe8INCCabIiNkCc
36  
8LcCU2x8x5mK0WrbPxGQatIXplKMnAjK7Tr/v27aGvxFxfBjkeDL7DrG6AHNvjtv+P
37  
N8/WmgYIX2MldH9NM5DFb1OIsENAGdRT2SQnBW+t67wJ9JvIl6D8ZpAXLK0Ra8rrZw
38  
GbL3gsz49PAoDxAJTuMpWnvmef6J7o/xwV98mMj9s0Dyk3Y+IF2xtoz6CVzDjK/nHy

39  7YHOQjMWIrXJQ==
40 Received: from smtprelay.hostedemail.com ([216.40.44.63])
41 by resimta-po-42v.sys.comcast.net with ESMTP
42 id QSrwlZX7FX3qEQSrwlyoxt; Sun, 28 Mar 2021 10:42:08 +
43 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgeduledrudehiedgfeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhinecuuegrihhlohhuthemuceftddunecuogfntfdquehouhhnugdqtfefvdculdehmdenucfjughrpefhuffvtgggffesmhdttdertddttdenucfhrhhomhepfdgiqdfhlhfplhfvjggtohhmtggrshhtvhhoihgtvghmrghilhgprhgvfhdrnhhotddujfffufestghomhgtrghsthdrnhgvthdfuceoigdqhfhlpfhlvfgjtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudfjfffusegtohhmtggrshhtrdhnvgh tqeenucggtffrrghtthgvrhhnpeduvddtkeduleehvdejkeeludfhhffghefhgeegjeefgeejveeiuedtgfeitdelieenucfkphepvdduiedrgedtrdeggedrieefpdeivddrudekvddrleelrdelgeenucevlhhushhtvghrufhiiigvpeefnecurfgrrhgrmhephhgvlhhopehsmhhtphhrvghlrgihrdhhohhsthgvuggvmhgrihhlrdgtohhmpdhinhgvthepvdduiedrgedtrdeggedrieefpdhmrghilhhfrhhomhepgidqfhhlnhhlthihtghomhgtrghsthhvohhitgg

What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?

2021-03-28 Thread Steve Dondley 

The email below slipped through my spam filter.

It has malicious content attached which purports to be a voicemail from 
comcast (I've snipped the attachment from the example) but it is 
actually a phishing attack. The attachment contains a link that goes to 
a web page at an obscure domain that prompts you to log into your 
comcast account.


As you can see by the headers, this email was well-trusted by SA with a 
score of -2.7.


I don't think I can rely much on bayes filtering for these kinds of 
emails since the body has so little text (or do I make a bad assumption 
here?). And to my untrained eye, the only thing that looks suspicious is 
line 40 which says: "smtprelay.hostedemail.com".


So what's the giveaway that this is spam and what rule can I add to get 
SA to recognize it as such? And what is the best way for me to learn how 
to analyze the headers so I can recognize spam myself? Any good 
tutorials for this?




  1 Return-Path: 
  2 Delivered-To: catch...@example.org
  3 Received: from email.example.org
  4 by email.example.org with LMTP
  5 id EkqVDIVdYGCceQAAW5pcLQ
  6 (envelope-from 
)

  7 for ; Sun, 28 Mar 2021 06:42:13 -0400
  8 Received: by email.example.org (Postfix, from userid 115)
  9 id 2489422533; Sun, 28 Mar 2021 06:42:13 -0400 (EDT)
 10 Authentication-Results: email.example.org;
 11 dkim=pass (2048-bit key; secure) header.d=comcast.net 
header.i=@comcast.net header.b="PSvQlJTc";

 12 dkim-atps=neutral
 13 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on 
email.example.org

 14 X-Spam-Level:
 15 X-Spam-Status: No, score=-2.7 required=4.0 
tests=BAYES_50,DKIM_SIGNED,
 16 
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,INVALID_MSGID,

 17 MSGID_FROM_MTA_HEADER,OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_HI,
 18 RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS 
autolearn=unavailable

 19 autolearn_force=no version=3.4.2
 20 Received-SPF: Pass (mailfrom) identity=mailfrom; 
client-ip=96.114.154.164; helo=resqmta-po-05v.sys.comcast.net; 
envelope-from=x-flnltycomcastvoicemail_ref.no01...@comcast.net; 
receiver=
 21 Received: from resqmta-po-05v.sys.comcast.net 
(resqmta-po-05v.sys.comcast.net [96.114.154.164])
 22 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
(256/256 bits))

 23 (No client certificate requested)
 24 by email.example.org (Postfix) with ESMTPS id F22E6215BD
 25 for ; Sun, 28 Mar 2021 06:42:11 -0400 
(EDT)

 26 Received: from resimta-po-42v.sys.comcast.net ([96.114.154.212])
 27 by resqmta-po-05v.sys.comcast.net with ESMTP
 28 id QSrxlUJdvoWleQSrxlMdfB; Sun, 28 Mar 2021 10:42:09 +
 29 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
 30 s=20190202a; t=1616928129;
 31 bh=vkwV5ud3feChWZLQsYrnwAqC5q/gOtq5c2+sZwvKGUI=;
 32 
h=Received:Received:Message-ID:Received:Received:From:Subject:To:

 33  Content-Type:MIME-Version:Date;
 34 
b=PSvQlJTcBWsdJnqw5X2ghcFhFC/KDs9orh5uzVOpepDAf2rxUTc3bG03diY25hkLB
 35  
fKraMiHrMsG0UjujPtZPBZ10Wvs+b/pCliySBbDhG4hPak0kJwkoe8INCCabIiNkCc
 36  
8LcCU2x8x5mK0WrbPxGQatIXplKMnAjK7Tr/v27aGvxFxfBjkeDL7DrG6AHNvjtv+P
 37  
N8/WmgYIX2MldH9NM5DFb1OIsENAGdRT2SQnBW+t67wJ9JvIl6D8ZpAXLK0Ra8rrZw
 38  
GbL3gsz49PAoDxAJTuMpWnvmef6J7o/xwV98mMj9s0Dyk3Y+IF2xtoz6CVzDjK/nHy

 39  7YHOQjMWIrXJQ==
 40 Received: from smtprelay.hostedemail.com ([216.40.44.63])
 41 by resimta-po-42v.sys.comcast.net with ESMTP
 42 id QSrwlZX7FX3qEQSrwlyoxt; Sun, 28 Mar 2021 10:42:08 +
 43 X-Xfinity-VAAS: 
gggruggvucftvghtrhhoucdtuddrgeduledrudehiedgfeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhinecuuegrihhlohhuthemuceftddunecuogfntfdquehouhhnugdqtfefvdculdehmdenucfjughrpefhuffvtgggffesmhdttdertddttdenucfhrhhomhepfdgiqdfhlhfplhfvjggtohhmtggrshhtvhhoihgtvghmrghilhgprhgvfhdrnhhotddujfffufestghomhgtrghsthdrnhgvthdfuceoigdqhfhlpfhlvfgjtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudfjfffusegtohhmtggrshhtrdhnvgh 
   
tqeenucggtffrrghtthgvrhhnpeduvddtkeduleehvdejkeeludfhhffghefhgeegjeefgeejveeiuedtgfeitdelieenucfkphepvdduiedrgedtrdeggedrieefpdeivddrudekvddrleelrdelgeenucevlhhushhtvghrufhiiigvpeefnecurfgrrhgrmhephhgvlhhopehsmhhtphhrvghlrgihrdhhohhsthgvuggvmhgrihhlrdgtohhmpdhinhgvthepvdduiedrgedtrdeggedrieefpdhmrghilhhfrhhomhepgidqfhhlnhhlthihtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudhhughssegtohhmtggrshhtrdhnvghtpdhrtghpthhtohepihgsvgifgeehheestghomhgtrg 
   hsthdrnhgvthdprhgtphhtthhopehofhhfihgtvgesihgsvgifgeehhedrohhrgh

 44 X-Xfinity-VMeta: sc=5.00;st=legit
 45 X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=4;DMARC=F
 46 Message-ID: 
qsrwlzx7fx3qeqsrwlyoxt.1616928128.bcb9cc98f861a2c7a8b119d18ed7fa74.missin...@comcast.net
 47 Received: from omf14.hostedemail.com (clb03-v110.bra.tucows.net 
[216.40.38.60])
 48 by smtprelay03.hostedemail.com (Postfix) with ESMTP id 
03D8F837F24D
 49