Re: free tlds considered as freemail ?
On 2020-11-09 at 11:42 +0100, Benny Pedersen wrote: > i mean if the tld is free, can the domain name be non free then ? Yes. Even though the TLD offers domains for free (not tlds for free :P) there is a paying layer where you can pay money for having them. I have seen a spammer use such kind of paid domain. Too bad, as it would have been simpler to have their domain canceled if iy was on the free tier. Regards
Re: free tlds considered as freemail ?
Dan Malm skrev den 2020-11-09 10:31: I just consider free tlds spam (at least some of them): thanks, will try to add it to rule set i have here, ly tld is the one i like to add, you have it outside of freemail so this is what i will maybe change it to, so it just being freemail rule hits not more custom rule names as it will be with what you do i mean if the tld is free, can the domain name be non free then ?
Re: free tlds considered as freemail ?
On 2020-11-09 09:10, Benny Pedersen wrote: > maybe if it could be done in freemail ? > > is it inccorect bark to bark on ? > > i write it to get some debate on it, not to begin implementing anything yet I just consider free tlds spam (at least some of them): header DAM_SOMETLD_ARE_WORSE_TLD_FROM From:addr =~ /\.(tk|ml|ga|cf|gq)$/i describeDAM_SOMETLD_ARE_WORSE_TLD_FROM Free TLD Abuse score DAM_SOMETLD_ARE_WORSE_TLD_FROM 5 uri DAM_SOMETLD_ARE_WORSE_TLD_URI /\.(tk|ml|ga|cf|gq)($|\/)/i describeDAM_SOMETLD_ARE_WORSE_TLD_URI Free TLD Abuse score DAM_SOMETLD_ARE_WORSE_TLD_URI 1.5 -- BR/Mvh. Dan Malm, Systems Engineer, One.com pEpkey.asc Description: application/pgp-keys
free tlds considered as freemail ?
maybe if it could be done in freemail ? is it inccorect bark to bark on ? i write it to get some debate on it, not to begin implementing anything yet
Re: SPOOFED_FREEMAIL hitting non-spoofed freemail?
On Wed, 18 Sep 2019, RW wrote: On Wed, 18 Sep 2019 15:30:46 +0200 Dan Malm wrote: Ok, I'm pretty sure this is mostly on my end, but I think there are also some issues with the __NOT_SPOOFED meta rule. 1: I was able to reproduce getting the SPOOFED_FREEMAIL locally on my machine when running spammassassin with the -L parameter. 2: The reason (I assume) that I get the rule hit on my servers is this which I get when I run a manual spamassassin check with debugging enabled: dbg: dkim: cannot load Mail::DKIM module, DKIM checks disabled: Can't locate Mail/DKIM/Verifier.pm in @INC (you may need to install the Mail::DKIM::Verifier module) (@INC contains: lib /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/site_perl/mach/5.28 /usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/DKIM.pm line 675. So, given that the Mail::SpamAssassin::Plugin::DKIM plugin is loaded, __NOT_SPOOFED will check DKIM_VALID and ignore the -L parameter and ignore errors with the DKIM validity check. The rules will work around the DKIM plugin not being loaded by switching to a a simple header test for the signature, but they can't cope with DKIM being otherwise disabled. __NOT_SPOOFED is still checking for SPF_PASS. The rule QA webpage shows results for score set 0 (no net, no Bayes). From other results I've seen, I think this has net plugins loaded, but unused. That means that !__NOT_SPOOFED is unconditionally true, so SPOOFED_FREEMAIL is effectivly then FREEMAIL_FROM && !__FS_SUBJ_RE. Added tflags net to the SPOOFED_FREEM family and one or two others relying on !__NOT_SPOOFED as part of the basic logic. Sendingsvn/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sendingsvn/trunk/rulesrc/sandbox/jhardin/20_shared_subrules.cf Transmitting file data ..done Committing transaction... Committed revision 1867148. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- Tomorrow: Talk Like a Pirate day
Re: SPOOFED_FREEMAIL hitting non-spoofed freemail?
On Wed, 18 Sep 2019 15:30:46 +0200 Dan Malm wrote: > Ok, I'm pretty sure this is mostly on my end, but I think there are > also some issues with the __NOT_SPOOFED meta rule. > > 1: I was able to reproduce getting the SPOOFED_FREEMAIL locally on my > machine when running spammassassin with the -L parameter. > > 2: The reason (I assume) that I get the rule hit on my servers is this > which I get when I run a manual spamassassin check with debugging > enabled: dbg: dkim: cannot load Mail::DKIM module, DKIM checks > disabled: Can't locate Mail/DKIM/Verifier.pm in @INC (you may need to > install the Mail::DKIM::Verifier module) (@INC contains: lib > /usr/local/lib/perl5/site_perl > /usr/local/lib/perl5/site_perl/mach/5.28 > /usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at > /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/DKIM.pm line > 675. > > So, given that the Mail::SpamAssassin::Plugin::DKIM plugin is loaded, > __NOT_SPOOFED will check DKIM_VALID and ignore the -L parameter and > ignore errors with the DKIM validity check. The rules will work around the DKIM plugin not being loaded by switching to a a simple header test for the signature, but they can't cope with DKIM being otherwise disabled. __NOT_SPOOFED is still checking for SPF_PASS. The rule QA webpage shows results for score set 0 (no net, no Bayes). From other results I've seen, I think this has net plugins loaded, but unused. That means that !__NOT_SPOOFED is unconditionally true, so SPOOFED_FREEMAIL is effectivly then FREEMAIL_FROM && !__FS_SUBJ_RE. The wont reflect the actual results in score set 0/2 with the plugins unloaded or the results in sets 1/3.
Re: SPOOFED_FREEMAIL hitting non-spoofed freemail?
Ok, I'm pretty sure this is mostly on my end, but I think there are also some issues with the __NOT_SPOOFED meta rule. 1: I was able to reproduce getting the SPOOFED_FREEMAIL locally on my machine when running spammassassin with the -L parameter. 2: The reason (I assume) that I get the rule hit on my servers is this which I get when I run a manual spamassassin check with debugging enabled: dbg: dkim: cannot load Mail::DKIM module, DKIM checks disabled: Can't locate Mail/DKIM/Verifier.pm in @INC (you may need to install the Mail::DKIM::Verifier module) (@INC contains: lib /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/site_perl/mach/5.28 /usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/DKIM.pm line 675. So, given that the Mail::SpamAssassin::Plugin::DKIM plugin is loaded, __NOT_SPOOFED will check DKIM_VALID and ignore the -L parameter and ignore errors with the DKIM validity check. On 9/18/19 2:07 PM, Dan Malm wrote: > Hi, > > I've gotten some reports about mails from hotmail being incorrectly > filtered as spam on my systems. I'm seeing a lot of perfectly valid, > non-spoofed mails from them hitting the SPOOFED_FREEMAIL rule. Is anyone > else seeing the same, or is it some issue in my configuration? > > RuleQA seems to indicate something being wrong if I'm reading this > correct though: > > overlap spam: 100% of SPOOFED_FREEMAIL hits also hit FREEMAIL_FROM; 99% > of FREEMAIL_FROM hits also hit SPOOFED_FREEMAIL (ham 100%) > > 100% of ham that hit's FREEMAIL_FROM also hits SPOOFED_FREEMAIL? > https://ruleqa.spamassassin.org/20190917-r1867043-n/SPOOFED_FREEMAIL/detail > -- BR/Mvh. Dan Malm, Systems Engineer, One.com pEpkey.asc Description: application/pgp-keys
SPOOFED_FREEMAIL hitting non-spoofed freemail?
Hi, I've gotten some reports about mails from hotmail being incorrectly filtered as spam on my systems. I'm seeing a lot of perfectly valid, non-spoofed mails from them hitting the SPOOFED_FREEMAIL rule. Is anyone else seeing the same, or is it some issue in my configuration? RuleQA seems to indicate something being wrong if I'm reading this correct though: overlap spam: 100% of SPOOFED_FREEMAIL hits also hit FREEMAIL_FROM; 99% of FREEMAIL_FROM hits also hit SPOOFED_FREEMAIL (ham 100%) 100% of ham that hit's FREEMAIL_FROM also hits SPOOFED_FREEMAIL? https://ruleqa.spamassassin.org/20190917-r1867043-n/SPOOFED_FREEMAIL/detail -- BR/Mvh. Dan Malm, Systems Engineer, One.com pEpkey.asc Description: application/pgp-keys
Postfix - Spamassassin and MailSpike FreeMail
Hello Spamassassin
Please i need to add the function MailSpike and Freemail, i see that
here Running Local.cf file and i need
to add any settings for this two services that i need to add.
But i dont know how to do this, i have try to read man Spamassassins but
i dont found nothing.
So please can you give me a link, in witch direction i need to read?
Thanks for your Information.
i don't know we Perl here see any warning.
root@caloro:/etc# spamassassin -V
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_PAPER = "de_CH.UTF-8",
LC_ADDRESS = "de_CH.UTF-8",
LC_MONETARY = "de_CH.UTF-8",
LC_NUMERIC = "de_CH.UTF-8",
LC_TELEPHONE = "de_CH.UTF-8",
LC_IDENTIFICATION = "de_CH.UTF-8",
LC_MEASUREMENT = "de_CH.UTF-8",
LC_TIME = "de_CH.UTF-8",
LC_NAME = "de_CH.UTF-8",
LANG = "de_DE.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("de_DE.UTF-8").
SpamAssassin version 3.4.0
running on Perl version 5.20.2
Running with
Linux caloro.ch 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30)
x86_64 GNU/Linux
--
Thanks
Mauri
Re: freemail
send evidence to protonmail admin: they will close the account Sent from ProtonMail Mobile On Tue, Sep 27, 2016 at 6:11 PM, Axb <'axb.li...@gmail.com'> wrote: On 09/27/2016 06:05 PM, Benny Pedersen wrote: > > got spam from it > > protonmail.com > protonmail.ch > > is missing in spamassassin > > i can provide sample to rule maintainers on request 20_freemail_domains.cf Committed revision 1762511.
Re: freemail
On 09/27/2016 06:05 PM, Benny Pedersen wrote: got spam from it protonmail.com protonmail.ch is missing in spamassassin i can provide sample to rule maintainers on request 20_freemail_domains.cf Committed revision 1762511.
freemail
got spam from it protonmail.com protonmail.ch is missing in spamassassin i can provide sample to rule maintainers on request
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
On Sun, Jun 26, 2016, at 02:15 AM, Groach wrote: > Am I right to think this implies that there is a setting or some other > mechanism that stops rules that have a Zero score from being run in the > first place? A flag or something? (I ask because I still have Zero score > rule results run and included in the headers and in this case the > FREEMAIL rule would still have been apparent). Could you explain please? Yep. https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#scoring_options score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ] ... Setting a rule's score to 0 will disable that rule from running. ... > (And why did your updates file have them as Zero scores? Have you > worked out why?) No clue. And looking at a couple of other installs, no such problem. The only thing that caught my attention was that the update date of a couple of files was different -- including the one with the freemail scores. What I did not check b4 deleting & re-updating with a clean set of updates was file corruption, and perms. But too late now, unfortunately. I checked my update cron jobs, and they seem to be working fine now, too. Jason
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Noel On Sat, Jun 25, 2016, at 06:31 PM, Noel Butler wrote: > ignoring the usual trolls Benny and Harry (Reindl) got it > " loadplugin Mail::SpamAssassin::Plugin::FreeMail " is actually loaded? yep > /var/lib/spamassassin/3.004001/updates_spamassassin_org/20_freemail.cf I think that's it. The 20_freemail.cf in release had non-zero score. The updates/ file had =ZERO scores. So not firing at all. Deleted the updates folder, re ran updates, and now there are non-zero scores. Bit of a different mystery, but that solves the not-firing problem for now. Didn't think to check the SA distro's files ... > also, you may care to investigate clear_uridnsbl_skip_domain not saying > this is related, but its also a good thing to use ;) yep. in use. > Lastly, I've used the freemail rules since long before they were in SA > release, some of the default scores were low, so you might want to play > around upping them in a local cf once you get it working. Care to share what your local.cf's FREEMAIL* tweaks are? I understand, it varies on server & context -- I'm just curious as to magnitude of change/difference an experienced has seen/chosen. Thanks. Jason
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
On 2016-06-26 02:14, Reindl Harald wrote: Am 26.06.2016 um 02:02 schrieb Benny Pedersen: On 2016-06-26 01:47, Reindl Harald wrote: Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? because he is no fool and likely repsonsible for others mail? and its asked why do i get spam with spf softfails nobody asked that, the only one talking about SPF_SOFTAIL is you there is multiple problems in the above, so just try to help with them aswell https://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html is envelope_sender_header setup currect on spamassassin instalation, it helps freemail aswell if it is who say gamil was the envelope sender really ? all that debate here was closed if that softfail was rejected, but now its endless
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Am 26.06.2016 um 02:02 schrieb Benny Pedersen: On 2016-06-26 01:47, Reindl Harald wrote: Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? because he is no fool and likely repsonsible for others mail? and its asked why do i get spam with spf softfails nobody asked that, the only one talking about SPF_SOFTAIL is you signature.asc Description: OpenPGP digital signature
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Huh? > and its asked why do i get spam with spf softfails No, I'm not asking about the 'softfail'. At all. > recipient have wanted that spam Um, no. > possible spam that is not spam but relaying fails Again, huh? I'm asking a simple question -- what SA test detects the multiple freemail biz?
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
On 2016-06-26 01:47, Reindl Harald wrote: Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? because he is no fool and likely repsonsible for others mail? and its asked why do i get spam with spf softfails recipient have wanted that spam, possible spam that is not spam but relaying fails thats all i know for now
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Am 26.06.2016 um 01:06 schrieb Benny Pedersen: On 2016-06-26 00:29, jaso...@mail-central.com wrote: Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f; dmarc=none header.from=gmail.com https://dane.sys4.de/smtp/gmail.com Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f; dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b=UFAXzzUL https://dane.sys4.de/smtp/yahoo.com Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? because he is no fool and likely repsonsible for others mail? SPF_SOFTFAIL != SPF_FAIL and when you don#t understand the difference better don't comment at all oh yahoo client use gmail, hmm :=) yes that's the topic that user should use smtp auth on gmail, not use yahoo smtp servers for relaying yes that's the topic there seems no be rule for From 'freemail' @GMAIL ReplyTo 'freemail' @HOTMAIL FREEMAIL_FORGED_REPLYTO "Freemail in Reply-To, but not From" comes near, but don't hit because are freemail *but different* ones signature.asc Description: OpenPGP digital signature
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Sorry, I really don't understand any of that. and this is my problem What relevance are the links to dane.sys4.de, and the rest of the comments? same as mangled example.org ? Like I said, I'm asking about 'freemail' detection in SA, why they're not used here, and how to config correctly so I do. spamassassin 2>&1 -D -t msgfile output from this is ? sorry cant help more
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
> https://dane.sys4.de/smtp/gmail.com > https://dane.sys4.de/smtp/yahoo.com > so why not reject softfail based on it ? > oh yahoo client use gmail, hmm :=) > that user should use smtp auth on gmail, not use yahoo smtp servers for > relaying > and note DNSSEC is not needed to make it worse Sorry, I really don't understand any of that. What relevance are the links to dane.sys4.de, and the rest of the comments? Like I said, I'm asking about 'freemail' detection in SA, why they're not used here, and how to config correctly so I do. Jason
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
On 2016-06-26 00:29, jaso...@mail-central.com wrote: Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f; dmarc=none header.from=gmail.com https://dane.sys4.de/smtp/gmail.com Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f; dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b=UFAXzzUL https://dane.sys4.de/smtp/yahoo.com Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? oh yahoo client use gmail, hmm :=) that user should use smtp auth on gmail, not use yahoo smtp servers for relaying and note DNSSEC is not needed to make it worse
Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
An inbound spam was caught by SpamAssassin, flagged with BAYES_50=0.8 DCC_CHECK=1.1 DIGEST_MULTIPLE=0.293 HTML_MESSAGE=0.001 MIME_HTML_MOSTLY=0.428 MISSING_HEADERS=1.021 PYZOR_CHECK=2.5 REPLYTO_WITHOUT_TO_CC=1.552 To get to SA, it snuck by my DNSBLS, and passed SPF/DKIM/DMARC tests, Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f; dmarc=none header.from=gmail.com Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f; dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b=UFAXzzUL Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) (TBH, I'm not exactly clear on how/why a msg this fake gets by all 3; need to take a closer look at that !) But, not being caught is NOT my current question. Instead, I'd like to know which specific test I can use to hit/score the 'freemail' whack-a-mole. For example, this particular email is Sent via 'freemail' @ YAHOO From 'freemail' @GMAIL ReplyTo 'freemail' @HOTMAIL Here are some of the headers Received: from nm12-vm1.bullet.mail.ir2.yahoo.com (nm12-vm1.bullet.mail.ir2.yahoo.com [212.82.96.171]) by mail.example.com (Postfix) with ESMTPS for <u...@example.com>; Fri, 24 Jun 2016 08:26:08 -0400 (EDT) ... From: Dion Joelle <mrs.djoe...@gmail.com> Reply-To: Dion Joelle <mrs.dion...@hotmail.com> Message-ID: <#.javamail.ya...@mail.yahoo.com> What I don't see there are any of the FREEMAIL hits. Obviously, the fake freemail 'trifecta' (gmail/hotmail/yahoo) is an easy signature to hit on. I just need some guidance as to what test I need to use/configure/enable to hot/score on this patter/behavior? Jason
Re: freemail spam
On Fri, 25 Mar 2016 09:47:00 + Cedric Knight wrote: > On 25/03/16 00:55, Alex wrote: > > Hi, > > > > First, I'm wondering why parking.ru isn't among the freemail > > domains? > > Probably because the FreeMail plugin is designed to detect the > right-hand side of email addresses for providers like Gmail and AOL, > and parking.ru looks like a general-purpose web host. Does it offer > free email service @parking.ru? It doesn't actually matter whether it's free - freemail is a bit of a misnomer. It is, as you say, a list of domains used in email addresses. That makes it much less effective on received headers because it's very common for freemail providers to use separate domains for server names. It's also worth bearing in mind that legitimate mail from commonly spoofed domains may be forwarded through freemail servers. > > I'm reading through the FREEMAIL_* rules, and wondered, how can I > > build a rule that looks to see if email was passed through a > > freemail domain? > > > > I realize there's FREEMAIL_FROM, etc. I'm interested in something > > like FREEMAIL_RECVD or something similar. > > > Having knowledge that a freemail sender was used in a spoof/phish > > attempt I believe would be helpful.
Re: freemail spam
On 25/03/16 00:55, Alex wrote:
> Hi,
>
> First, I'm wondering why parking.ru isn't among the freemail domains?
Probably because the FreeMail plugin is designed to detect the
right-hand side of email addresses for providers like Gmail and AOL, and
parking.ru looks like a general-purpose web host. Does it offer free
email service @parking.ru?
> Perhaps it should be added?
You could do that in your config with
freemail_domains parking.ru
> Received: from mail05.parking.ru (mail05.parking.ru [195.128.120.25])
> by mail02.example.com (Postfix) with ESMTP id 6ED82347D26
> for <pa...@example.com>; Wed, 23 Mar 2016 17:42:50 -0400 (EDT)
>
> I'm reading through the FREEMAIL_* rules, and wondered, how can I
> build a rule that looks to see if email was passed through a freemail
> domain?
>
> I realize there's FREEMAIL_FROM, etc. I'm interested in something like
> FREEMAIL_RECVD or something similar.
There's no man page for Mail::SpamAssassin::Plugin::FreeMail, but the
comments include
# header FREEMAIL_HDRX eval:check_freemail_header('header' [, 'regex'])
#
# Searches defined header for freemail address. Optional regex to match
# the found address (like in check_freemail_from).
So you could do
eval:check_freemail_header('Received')
However, this looks for full email addresses, so I don't think it's of
use to you, unless you want to catch 'example.com'.
[BTW I wrote an incomplete patch to this function in bug 6664 so it
could be used as:
header FREEMAIL_FORGED_REPLYTO4
eval:check_freemail_header('Reply-To','\@','From')
describe FREEMAIL_FORGED_REPLYTO4 Any Reply-To freemail not in From
and then exclude __HAS_IN_REPLY_TO __DOS_HAS_LIST_UNSUB etc, which
improves accuracy in picking up 419s.
I still mean to upload a correct patch.]
So isn't what you want something like this?
header RCVD_DIRTY_SERVERS Received =~ /\.parking\.ru/
or
header RCVD_DIRTY_SERVERS X-Spam-Relays-Untrusted =~ /
helo=\S+\.(?:parking\.ru|dirty\.tld)/
> We're experiencing a higher than normal level of spoofing attempts,
> and don't have the ability to implement DKIM/DMARC at the moment. SPF
> is being worked on.
>
> Having knowledge that a freemail sender was used in a spoof/phish
> attempt I believe would be helpful.
I'm seeing some 419s from parking.ru, but not what I'd call phish. Do
you mean you're getting a lot of spam that comes from your own domain?
IMHO it's usually a mistake to focus on that characteristic, as it's
incidental. It's better to check the first-level checks are working,
like RBLs. Maybe pastebin some full samples?
HTH
CK
freemail spam
Hi, First, I'm wondering why parking.ru isn't among the freemail domains? Perhaps it should be added? Received: from mail05.parking.ru (mail05.parking.ru [195.128.120.25]) by mail02.example.com (Postfix) with ESMTP id 6ED82347D26 for <pa...@example.com>; Wed, 23 Mar 2016 17:42:50 -0400 (EDT) I'm reading through the FREEMAIL_* rules, and wondered, how can I build a rule that looks to see if email was passed through a freemail domain? I realize there's FREEMAIL_FROM, etc. I'm interested in something like FREEMAIL_RECVD or something similar. We're experiencing a higher than normal level of spoofing attempts, and don't have the ability to implement DKIM/DMARC at the moment. SPF is being worked on. Having knowledge that a freemail sender was used in a spoof/phish attempt I believe would be helpful. Thanks, Alex
Re: FreeMail Plugin
2015-02-17 10:52 GMT-06:00 Kevin A. McGrail kmcgr...@pccc.com: That variable comes from $Mail::SpamAssassin::Util::RegistrarBoundaries::VALID_TLDS_RE; Hi Kevin, good to hear around here, Sounds like you might have some mish-mash of SpamAssassin versions and plugins. well , update to version spamassassin-3.3.2-4.el6.rfx.x86_64 -- rickygm http://gnuforever.homelinux.com
FreeMail Plugin
Hi, I have been updating some dependencies CPAN, but spamassassin shows that warn: spamassassin --lint [18198] warn: Use of uninitialized value $tlds in regexp compilation at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/FreeMail.pm line 121. someone on the list could explain this warn? my best regards -- rickygm http://gnuforever.homelinux.com
Re: FreeMail Plugin
On 2/17/2015 11:42 AM, ricky gutierrez wrote: Hi, I have been updating some dependencies CPAN, but spamassassin shows that warn: spamassassin --lint [18198] warn: Use of uninitialized value $tlds in regexp compilation at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/FreeMail.pm line 121. someone on the list could explain this warn? my best regards That variable comes from $Mail::SpamAssassin::Util::RegistrarBoundaries::VALID_TLDS_RE; Sounds like you might have some mish-mash of SpamAssassin versions and plugins.
Re: FreeMail Plugin
On 2/17/2015 12:21 PM, ricky gutierrez wrote: 2015-02-17 10:52 GMT-06:00 Kevin A. McGrail kmcgr...@pccc.com: That variable comes from $Mail::SpamAssassin::Util::RegistrarBoundaries::VALID_TLDS_RE; Hi Kevin, good to hear around here, Sounds like you might have some mish-mash of SpamAssassin versions and plugins. well , update to version spamassassin-3.3.2-4.el6.rfx.x86_64 That sounds like an RPM. Missing RPMs and CPAN may lead to issues. What did you update from CPAN? What distribution, etc. are you using?
Re: FreeMail Plugin
On Tue, 17 Feb 2015, Kevin A. McGrail wrote: On 2/17/2015 12:21 PM, ricky gutierrez wrote: 2015-02-17 10:52 GMT-06:00 Kevin A. McGrail kmcgr...@pccc.com: That variable comes from $Mail::SpamAssassin::Util::RegistrarBoundaries::VALID_TLDS_RE; Hi Kevin, good to hear around here, Sounds like you might have some mish-mash of SpamAssassin versions and plugins. well , update to version spamassassin-3.3.2-4.el6.rfx.x86_64 That sounds like an RPM. Missing RPMs and CPAN may lead to issues. Very minor clarification there: Kevin meant to say mixing. CPAM modules should either be installed using RPMs (or whatever package your distro uses) OR directly from CPAN. If you mix methods you can't rely on getting clean results, things may not be properly updated. What did you update from CPAN? What distribution, etc. are you using? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...for a nation to tax itself into prosperity is like a man standing in a bucket and trying to lift himself up by the handle. -- Winston Churchill --- 5 days until George Washington's 283rd Birthday
Re: FreeMail Plugin
2015-02-17 11:49 GMT-06:00 Kevin A. McGrail kmcgr...@pccc.com: That sounds like an RPM. Missing RPMs and CPAN may lead to issues. What did you update from CPAN? What distribution, etc. are you using? CentOS release 6.6 (Final) add a list cpan modules. -- rickygm http://gnuforever.homelinux.com r CPAN: Storable loaded ok (v2.20) Reading '/root/.cpan/Metadata' Database was generated on Tue, 17 Feb 2015 17:41:02 GMT Package namespace installedlatest in CPAN file AppConfig 1.66 1.69 NEILB/AppConfig-1.69.tar.gz Archive::Extract 0.38 0.74 BINGOS/Archive-Extract-0.74.tar.gz Attribute::Handlers0.85 0.96 SMUELLER/Attribute-Handlers-0.96.tar.gz Authen::SASL 2.13 2.16 GBARR/Authen-SASL-2.16.tar.gz AutoLoader 5.68 5.74 SMUELLER/AutoLoader-5.74.tar.gz B::Debug 1.11 1.23 RURBAN/B-Debug-1.23.tar.gz B::Lint1.11 1.20 RJBS/B-Lint-1.20.tar.gz BerkeleyDB 0.43 0.54 PMQS/BerkeleyDB-0.54.tar.gz Bit::Vector 7.1 7.4 STBEY/Bit-Vector-7.4.tar.gz CGI3.51 4.13 LEEJO/CGI-4.13.tar.gz CGI::Fast 1.08 2.05 LEEJO/CGI-Fast-2.05.tar.gz CPAN::Meta::Requirements 2.127 2.132 DAGOLDEN/CPAN-Meta-Requirements-2.132.tar.gz CPANPLUS 0.880.9152 BINGOS/CPANPLUS-0.9152.tar.gz CPANPLUS::Dist::Build 0.36 0.78 BINGOS/CPANPLUS-Dist-Build-0.78.tar.gz Carp 1.111.3301 ZEFRAM/Carp-1.3301.tar.gz Carp::Clan 6.03 6.04 STBEY/Carp-Clan-6.04.tar.gz Class::ISA 0.33 0.36 SMUELLER/Class-ISA-0.36.tar.gz Convert::ASN1 0.22 0.27 GBARR/Convert-ASN1-0.27.tar.gz Version string '1.119 ' contains invalid data; ignoring: ' ' at /usr/local/share/perl5/ExtUtils/MM_Unix.pm line 2784. Convert::BinHex 1.119 1.123 STEPHEN/Convert-BinHex-1.123.tar.gz Convert::UUlib 1.34 1.4 MLEHMANN/Convert-UUlib-1.4.tar.gz Crypt::OpenSSL::RSA0.25 0.28 PERLER/Crypt-OpenSSL-RSA-0.28.tar.gz Crypt::OpenSSL::Random 0.04 0.10 RURBAN/Crypt-OpenSSL-Random-0.10.tar.gz Crypt::SSLeay 0.57 0.72 NANIS/Crypt-SSLeay-0.72.tar.gz DBD::SQLite1.27 1.46 ISHIGAKI/DBD-SQLite-1.46.tar.gz DBD::mysql4.013 4.029 CAPTTOFU/DBD-mysql-4.029.tar.gz DBIx::Simple 1.32 1.35 JUERD/DBIx-Simple-1.35.tar.gz Data::UUID1.203 1.220 RJBS/Data-UUID-1.220.tar.gz Devel::DProf 20080331.00 20110802.00 FLORA/Devel-DProf-20110802.00.tar.gz Devel::PPPort 3.19 3.28 WOLFSAGE/Devel-PPPort-3.28.tar.gz Devel::SelfStubber 1.03 1.05 FLORA/Devel-SelfStubber-1.05.tar.gz Digest 1.16 1.17 GAAS/Digest-1.17.tar.gz Digest::HMAC 1.01 1.03 GAAS/Digest-HMAC-1.03.tar.gz Dumpvalue 1.13 1.17 FLORA/Dumpvalue-1.17.tar.gz Encode 2.35 2.70 DANKOGAI/Encode-2.70.tar.gz Env1.00 1.04 FLORA/Env-1.04.tar.gz Error 0.17015 0.17023 SHLOMIF/Error-0.17023.tar.gz Exporter 5.63 5.70 TODDR/Exporter-5.70.tar.gz ExtUtils::Command 1.16 1.20 BINGOS/ExtUtils-Command-1.20.tar.gz ExtUtils::Install 1.54 2.04 BINGOS/ExtUtils-Install-2.04.tar.gz ExtUtils::Manifest 1.65 1.70 ETHER/ExtUtils-Manifest-1.70.tar.gz ExtUtils::ParseXS2.2203 3.24 SMUELLER/ExtUtils-ParseXS-3.24.tar.gz File::CheckTree 4.4 4.42 RJBS/File-CheckTree-4.42.tar.gz File::Fetch0.24 0.48 BINGOS/File-Fetch-0.48.tar.gz File::Path 2.08 2.09 DLAND/File-Path-2.09.tar.gz Filter::Simple 0.84 0.91 SMUELLER/Filter-Simple-0.91.tar.gz GSSAPI 0.26 0.28 AGROLMS/GSSAPI-0.28.tar.gz Git0.01 0.40 MSOUTH/Git-0.40.tgz HTML::Form5.829 6.03 GAAS/HTML-Form-6.03.tar.gz I18N::Collate 1.01 1.02 FLORA/I18N-Collate-1.02.tar.gz IP::Country2.27 2.28 NWETTERS/IP-Country-2.28.tar.gz IPC::Cmd 0.56 0.92 BINGOS/IPC-Cmd-0.92.tar.gz IPC::SysV 2.01 2.04 MHX/IPC-SysV-2.04.tar.gz JSON::PP2.27203 2.27300 MAKAMAKA/JSON-PP-2.27300.tar.gz LWP::Protocol::http10 undef 6.03 GAAS/LWP-Protocol-http10-6.03.tar.gz LWP::Protocol::https undef 6.06 MSCHILLI/LWP-Protocol-https-6.06.tar.gz Locale::Maketext 1.13 1.26
Re: RCVD_IN_DNSWL_MED whitelisting FREEMAIL
Jason Haar skrev den : Anyone see anything fundamentally wrong with that? It seems so obvious, I'm thinking I've overlooked something :-) using domain names in iptables ? dnswl is based on ips, freemail is based on domain names, if you see stable results then it works :-) best option is to sign up as a dnswl reporter, and the report is as spam
Re: RCVD_IN_DNSWL_MED whitelisting FREEMAIL
On 26/08/13 20:16, Benny Pedersen wrote: Jason Haar skrev den : Anyone see anything fundamentally wrong with that? It seems so obvious, I'm thinking I've overlooked something :-) using domain names in iptables ? dnswl is based on ips, freemail is based on domain names, if you see stable results then it works :-) d'oh! So it is. The IP was whitelisted - nothing to do with yahoo.co.uk Yep - looks like it was a good thing I asked ;-) Thanks! And I'll report the spam to DNSWL too -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
RCVD_IN_DNSWL_MED whitelisting FREEMAIL
Hi there I just received some spam - got a score below 0. The real surprise was the -2 points it got from RCVD_IN_DNSWL_MED - a surprise because the domain was yahoo.co.uk! I have no idea why DNSWL would ever give a negative score to any FREEMAIL (I use the SA rulename there) server - all free mail services will be prone to misuse So I'm thinking of trying to counteract that via metaUNDO_DNSWL_WHITELIST ( (RCVD_IN_DNSWL_MED) FREEMAIL_FROM) describeUNDO_DNSWL_WHITELIST don't allow RCVD_IN_DNSWL_MED to whitelist freemail score UNDO_DNSWL_WHITELIST 2.0 Anyone see anything fundamentally wrong with that? It seems so obvious, I'm thinking I've overlooked something :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: RCVD_IN_DNSWL_MED whitelisting FREEMAIL
Could you please share the IP address (better: relevant Received: header)? This seems like an error in our data. -- Matthias, for the dnswl.org project On Sun, Aug 25, 2013 at 10:19 PM, Jason Haar jason_h...@trimble.com wrote: Hi there I just received some spam - got a score below 0. The real surprise was the -2 points it got from RCVD_IN_DNSWL_MED - a surprise because the domain was yahoo.co.uk! I have no idea why DNSWL would ever give a negative score to any FREEMAIL (I use the SA rulename there) server - all free mail services will be prone to misuse So I'm thinking of trying to counteract that via metaUNDO_DNSWL_WHITELIST ( (RCVD_IN_DNSWL_MED) FREEMAIL_FROM) describeUNDO_DNSWL_WHITELIST don't allow RCVD_IN_DNSWL_MED to whitelist freemail score UNDO_DNSWL_WHITELIST 2.0 Anyone see anything fundamentally wrong with that? It seems so obvious, I'm thinking I've overlooked something :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Rule to count freemail recipients?
On 10/17/2011 08:42 PM, Tom wrote: I'm using a couple rules I found here that hits when there are 5-9 or 10+ recipients: header __COUNT_RCPTS ToCc =~ /(?:[^@,\s]+@[^@,\s]+)/ tflags __COUNT_RCPTS multiple meta RCPTS_5_10 (__COUNT_RCPTS = 5) score RCPTS_5_10 1.0 describe RCPTS_5_10 Message has 5 or more recipients meta RCPTS_10_PLUS (__COUNT_RCPTS = 10) score RCPTS_10_PLUS 1.0 describe RCPTS_10_PLUS Message has 10 or more recipients We get requests for this all the time on this list. Several implementations have been made and then removed (some may even still exist in svn sandboxes) for their poor performance. While none of them (including your own) have specifically hunted freemail recipients, I can tell you from experience that this won't help reduce false positives. signature.asc Description: OpenPGP digital signature
Rule to count freemail recipients?
I'm using a couple rules I found here that hits when there are 5-9 or 10+ recipients: header __COUNT_RCPTS ToCc =~ /(?:[^@,\s]+@[^@,\s]+)/ tflags __COUNT_RCPTS multiple meta RCPTS_5_10 (__COUNT_RCPTS = 5) score RCPTS_5_10 1.0 describe RCPTS_5_10 Message has 5 or more recipients meta RCPTS_10_PLUS (__COUNT_RCPTS = 10) score RCPTS_10_PLUS 1.0 describe RCPTS_10_PLUS Message has 10 or more recipients I'm seeing a bunch of spams that are being sent to some of my users where there are multiple other recipients, and most, if not all of the other recipients are various freemail accounts. Anyone have any ideas on how to identify when the other recipients are freemail users, so that this can be scored even higher?
Re: Rule to count freemail recipients?
On 10/17, Tom wrote: Anyone have any ideas on how to identify when the other recipients are freemail users, so that this can be scored even higher? My guess is you'd need to write a plugin based on the FreeMail plugin: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/FreeMail.pm?view=markup 20_freemail.cf 20_freemail_domains.cf include some relevant rules. It defines a huge list of known freemail domains. -- We will be dead soon. Is this how we want to live? http://www.ChaosReigns.com
Re: Freemail problem
Jeremy, Noel, I'm using SpamAssassin 3.2.5, and the FreeMail.pm plugin v2.001 from http://sa.hege.li, along with the rules from the 20_freemail.cf file at the same location. My first question is why does (mr.anthonywalter2010[at]gmail.com) appear twice within the FREEMAIL_FROM entry inside the X-Spam-Report header? Is it there twice because this address was used for both the Return-Path and the From headers? In other words, should I expect the FREEMAIL_FROM entry to list any freemail address which is used as the envelope sender, as well as any freemail address used in the From header of the message? I had assumed the FREEMAIL_FROM rule only looked at the From header but maybe that's incorrect. My second question is regarding the reference to (financediamond[at]gmail.com) in the FREEMAIL_FROM results. That email address does not appear anywhere in the entire message! Not in any of the headers, nor in any part of the body. I've opened up the raw email file from my mail server and searched the entire thing in a plain text editor, and there is no reference anywhere to 'financediamond' at all. So why is the FREEMAIL_FROM rule referring to that address? Is it a bug maybe? Could it perhaps be crossing wires with another email which my SpamAssassin was scanning at the same time, or something like that?? I am seeing this occasionally myself, including just now, except with 3.3.1 ( hence my search of the mailbox and found this, but only this post) somehow its mixing with addresses from separate emails altogether, this is postfix and SA is called from amavisd-new Was any suggestions given? I didn't receive any suggestions. I had hoped that when I would eventually upgrade to 3.3.x (haven't done that yet), that the problem would go away. So I'm sad to hear that it still exists. It's a bug in the FreeMail.pm plugin. It forgets to reset the rule description text with every message, to the addresses listed in a rule description just accumulate from one message to the next. I think this only affects text in a report, the rules probably hit correctly. Mark
Re: Freemail problem
On Fri, Feb 18, 2011 at 03:20:32PM +0100, Mark Martinec wrote:
Jeremy, Noel,
I'm using SpamAssassin 3.2.5, and the FreeMail.pm plugin v2.001 from
http://sa.hege.li, along with the rules from the 20_freemail.cf file at the
same location.
My first question is why does (mr.anthonywalter2010[at]gmail.com) appear
twice within the FREEMAIL_FROM entry inside the X-Spam-Report header? Is it
there twice because this address was used for both the Return-Path and the
From headers? In other words, should I expect the FREEMAIL_FROM entry to
list any freemail address which is used as the envelope sender, as well as
any freemail address used in the From header of the message? I had assumed
the FREEMAIL_FROM rule only looked at the From header but maybe that's
incorrect.
My second question is regarding the reference to
(financediamond[at]gmail.com) in the FREEMAIL_FROM results. That email
address does not appear anywhere in the entire message! Not in any of the
headers, nor in any part of the body. I've opened up the raw email file
from
my mail server and searched the entire thing in a plain text editor, and
there is no reference anywhere to 'financediamond' at all. So why is the
FREEMAIL_FROM rule referring to that address? Is it a bug maybe? Could it
perhaps be crossing wires with another email which my SpamAssassin was
scanning at the same time, or something like that??
I am seeing this occasionally myself, including just now, except with
3.3.1 ( hence my search of the mailbox and found this, but only this
post) somehow its mixing with addresses from separate emails altogether,
this is postfix and SA is called from amavisd-new
Was any suggestions given?
I didn't receive any suggestions. I had hoped that when I would eventually
upgrade to 3.3.x (haven't done that yet), that the problem would go away.
So I'm sad to hear that it still exists.
It's a bug in the FreeMail.pm plugin. It forgets to reset the rule description
text with every message, to the addresses listed in a rule description
just accumulate from one message to the next. I think this only affects
text in a report, the rules probably hit correctly.
Hmm yes I was wondering about this... so $pms-{conf} isn't actually per
message then? Too busy to dive into that right now..
Re: Freemail problem
Henrik,
Hmm yes I was wondering about this... so $pms-{conf} isn't actually per
message then? Too busy to dive into that right now..
No, the $pms-{conf} is just another ref or shortcut to $main-{conf}.
Changes there affect the global configuration.
The calls to $pms-clear_test_state and $pms-test_log may be
more appropriate to add auxilliary information to rule hits.
Also, the $pms-got_hit can now accept a 'description' attribute
(if needed) with more recent versions of SpamAssassin.
Mark
Re: Freemail problem
Mark, On Fri, 2011-02-18 at 15:20 +0100, Mark Martinec wrote: Jeremy, Noel, It's a bug in the FreeMail.pm plugin. It forgets to reset the rule description text with every message, to the addresses listed in a rule description just accumulate from one message to the next. I think this only affects text in a report, the rules probably hit correctly. Thanks for this, strange how it does not happen all the time, but at least we know its mostly harmless. Cheers Noel signature.asc Description: This is a digitally signed message part
Re: Freemail problem
/Very Ancient/ On Thu, 2010-06-10 at 18:40 +0200, Jeremy Fairbrass wrote: Hi, I've noticed what seems to be unexpected behaviour with the Freemail plugin, which I'm hoping someone can shed some light on. I'm using SpamAssassin 3.2.5, and the FreeMail.pm plugin v2.001 from http://sa.hege.li, along with the rules from the 20_freemail.cf file at the same location. My second question is regarding the reference to (financediamond[at]gmail.com) in the FREEMAIL_FROM results. That email address does not appear *anywhere* in the entire message! Not in any of the headers, nor in any part of the body. I've opened up the raw email file from my mail server and searched the entire thing in a plain text editor, and there is no reference anywhere to 'financediamond' at all. So why is the FREEMAIL_FROM rule referring to that address? Is it a bug maybe? Could it perhaps be crossing wires with another email which my SpamAssassin was scanning at the same time, or something like that?? I am seeing this occasionally myself, including just now, except with 3.3.1 ( hence my search of the mailbox and found this, but only this post) somehow its mixing with addresses from separate emails altogether, this is postfix and SA is called from amavisd-new Was any suggestions given? Cheers signature.asc Description: This is a digitally signed message part
Re: Freemail problem
Noel Butler noel.but...@ausics.net wrote in message news:1297993593.5473.74.camel@tardis... /Very Ancient/ On Thu, 2010-06-10 at 18:40 +0200, Jeremy Fairbrass wrote: Hi, I've noticed what seems to be unexpected behaviour with the Freemail plugin, which I'm hoping someone can shed some light on. I'm using SpamAssassin 3.2.5, and the FreeMail.pm plugin v2.001 from http://sa.hege.li, along with the rules from the 20_freemail.cf file at the same location. My second question is regarding the reference to (financediamond[at]gmail.com) in the FREEMAIL_FROM results. That email address does not appear *anywhere* in the entire message! Not in any of the headers, nor in any part of the body. I've opened up the raw email file from my mail server and searched the entire thing in a plain text editor, and there is no reference anywhere to 'financediamond' at all. So why is the FREEMAIL_FROM rule referring to that address? Is it a bug maybe? Could it perhaps be crossing wires with another email which my SpamAssassin was scanning at the same time, or something like that?? I am seeing this occasionally myself, including just now, except with 3.3.1 ( hence my search of the mailbox and found this, but only this post) somehow its mixing with addresses from separate emails altogether, this is postfix and SA is called from amavisd-new Was any suggestions given? Cheers I didn't receive any suggestions. I had hoped that when I would eventually upgrade to 3.3.x (haven't done that yet), that the problem would go away. So I'm sad to hear that it still exists. - Jeremy
Re: lots of freemail spam
On 30/12/10 19:15, Lawrence @ Rogers wrote:
Lately, I notice we are getting a fair amount (10-12 per day per client)
of spam coming from freemail users (FREEMAIL_FROM triggers). Usually the
Subject is non-existent or empty, and the message is always just an URL
I see a fair amount matching that description, and corresponding
complaints. In the past few weeks there seems to be a shift from
Hotmail/MSN/Live to also use cracked Yahoo and AOL/AIM accounts.
Someone at the freemail providers should know if passwords are obtained
by phishing (such as tabnabbing) or a keylogger or even by a dictionary
attack.
There's no text to match Bayes or body rules; because the URL is on a
cracked site, URIBL_* isn't usually appropriate; because it's from a
cracked account, the headers are fine and it may even reach users who've
chosen to only accept email from friends/contacts. More of the
originating IPs should hit deep-parsing RBLs than actually do.
So it could be argued that the nest response is not to block, but to let
owners of cracked accounts know they need to change their password and
secret questions (or close the account if it can't be recovered), and
also to report the cracked sites and originating IPs, possibly by
educating users about SpamCop.
Is there a good rule for flagging these as possible spam? I understand
that there may be some legit e-mails that would hit all 3 factors, so I
would score the rule low.
Thoughts?
Something like:
meta FREEMAIL_PHARM_PROB((FREEMAIL_FROM + MISSING_SUBJECT +
LINK_NR_TOP) =3)
describe FREEMAIL_PHARM_PROBLooks like simple link from cracked account
score FREEMAIL_PHARM_PROB 2.5
LINK_NR_TOP is the only additional element needed, to indicate message
length:
rawbody LINK_NR_TOP
/^.{0,20}http:(?!src=.http:)(?!xmlns=.http:)\S{5,100}.{0,100}$/si
describe LINK_NR_TOP Short message with link near top
score LINK_NR_TOP0.1
The length of text either side of the URL could be adjusted as needed.
rawbody LINK_ONLY/^\s{0,20}http:\S{5,100}\s{0,100}$/si
TVD_SPACE_RATIO usually hits when there is no whitespace, and could also
be used in the meta, and GENERIC_IXHASH
http://sourceforge.net/projects/ixhash/ seems to hit a greater
percentage than other body checksums (the body being empty or very
short). Also there are short-lived patterns in the abusive file uploaded:
uri FREEMAIL_PHARM1 /\/mtxtsx\.htm/
describe FREEMAIL_PHARM1Particular link on cracked site, Jan 2011
score FREEMAIL_PHARM1 8.0
uri FREEMAIL_PHARM2
/\/(?:2011\.php\?\w+=\w+$|foto2011\.php|clickhere\.php|important\.php|mywork\.html)/
describe FREEMAIL_PHARM2Particular link on cracked site, Jan 2011
score FREEMAIL_PHARM2 4.0
uri FREEMAIL_PHARM3
/\/\/[a-z0-9A-Z.-]+\/images\/[A-Za-z0-9\-]+\.(?:php|htm)/
describe FREEMAIL_PHARM3Top-level images folder, php or htm
extension
score FREEMAIL_PHARM3 0.1
HTH
CK
Re: lots of freemail spam
I've been thinking, perhaps we should consider making a Freemail Realtime BL that lists not IP addresses, but rather ID's at the Freemail provider. 1) I am assuming that ID's you see in headers of mail from Yahoo is always from an authenticated user? 2) Traps and user reports can quickly list a new Freemail user ID. 3) Subsequent spam from that user ID is more easily blocked because the RBL has the ID listed. 4) The RBL feed can be automated to be sent to the provider (like Yahoo) so they can more quickly enforce locking down compromised accounts or enforce their ToS. Warren
Re: lots of freemail spam
On søn 02 jan 2011 13:59:22 CET, Warren Togami Jr. wrote I've been thinking, perhaps we should consider making a Freemail Realtime BL that lists not IP addresses, but rather ID's at the Freemail provider. emailbl was better coded for this purpose imho freemail as is, is perfect as it is now, since its easy to add freemail domain, its easy to whitelist the non spam senders -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: lots of freemail spam
On 2011-01-02 13:59, Warren Togami Jr. wrote: I've been thinking, perhaps we should consider making a Freemail Realtime BL that lists not IP addresses, but rather ID's at the Freemail provider. Search the list archives for emailbl 1) I am assuming that ID's you see in headers of mail from Yahoo is always from an authenticated user? 2) Traps and user reports can quickly list a new Freemail user ID. 3) Subsequent spam from that user ID is more easily blocked because the RBL has the ID listed. 4) The RBL feed can be automated to be sent to the provider (like Yahoo) so they can more quickly enforce locking down compromised accounts or enforce their ToS. Search the list archives for emailbl
Re: lots of freemail spam
If I understand that thread correctly, that is for e-mail addresses in body text? I'm suggesting looking only at authenticated UID's in headers from specific providers like Yahoo who are notorious for spam, but their MTA's also send a significant amount of ham so we cannot DNSBL block them. Given that we know the UID's cannot be spoofed (if we verify the delivery with DKIM), such a BL can be safely populated in an automated fashion using spam traps. So this might be more of a Authenticated User RBL. Warren
lots of freemail spam
Hi, Lately, I notice we are getting a fair amount (10-12 per day per client) of spam coming from freemail users (FREEMAIL_FROM triggers). Usually the Subject is non-existent or empty, and the message is always just an URL Is there a good rule for flagging these as possible spam? I understand that there may be some legit e-mails that would hit all 3 factors, so I would score the rule low. Thoughts? Regards, Lawrence
Re: FreeMail plugin updated
On Thursday September 2 2010 01:52:28 Runbox wrote: Would you please remove Runbox.com from that list as we have not been a free email provider since 2001. Kim Thanks, removed! Should propagate with the next sa-update. Mark
Re: FreeMail plugin updated
Hello, Would you please remove Runbox.com from that list as we have not been a free email provider since 2001. Kim -- View this message in context: http://old.nabble.com/FreeMail-plugin-updated-tp23468766p29599495.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
me.com as freemail?
I notice that me.com (Apple's mobile me) is now offering a free 60 day trial for their mail solution. About half the mail from me.com has been spam here lately, so I've added it to my local list of freemail domains. Anyone seen anything similar? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: me.com as freemail?
On 28-Jun-2010, at 14:41, Daniel J McDonald wrote: I notice that me.com (Apple's mobile me) is now offering a free 60 day trial What do you mean, now? They have always offered a 60 day trial. for their mail solution. About half the mail from me.com has been spam here lately, so I've added it to my local list of freemail domains. Anyone seen anything similar? I *get* a lot of spam at me.com, I don't get much FROM me.com, and what I do get seems to be of the put 20 addresses in the Cc: header variety. I let procmail deal with those. -- You never really understand a person until you see things from his point of view, until you climb inside of his skin and walk around in it.
Freemail problem
Hi, I've noticed what seems to be unexpected behaviour with the Freemail plugin, which I'm hoping someone can shed some light on. I'm using SpamAssassin 3.2.5, and the FreeMail.pm plugin v2.001 from http://sa.hege.li, along with the rules from the 20_freemail.cf file at the same location. Example #1: Yesterday I spotted the following within the headers of a very spammy spam email that I received (total score 23.5 points): - Return-path: mr.anthonywalter2...@gmail.com X-Spam-Report: * 0.0 FREEMAIL_FROM Sender email is freemail (financediamond[at]gmail.com) * (mr.anthonywalter2010[at]gmail.com) * (mr.anthonywalter2010[at]gmail.com) SNIP From: MR. ANTHONY WALTERmr.anthonywalter2...@gmail.com - (I've removed the other headers which aren't relevant here) As you can see, this spam used mr.anthonywalter2...@gmail.com as the envelope sender address (MAIL FROM during the SMTP transaction, which also appears in the Return-Path header). And it used the same address in the From header of the message too. My first question is why does (mr.anthonywalter2010[at]gmail.com) appear twice within the FREEMAIL_FROM entry inside the X-Spam-Report header? Is it there twice because this address was used for both the Return-Path and the From headers? In other words, should I expect the FREEMAIL_FROM entry to list any freemail address which is used as the envelope sender, *as well as* any freemail address used in the From header of the message? I had assumed the FREEMAIL_FROM rule only looked at the From header but maybe that's incorrect. My second question is regarding the reference to (financediamond[at]gmail.com) in the FREEMAIL_FROM results. That email address does not appear *anywhere* in the entire message! Not in any of the headers, nor in any part of the body. I've opened up the raw email file from my mail server and searched the entire thing in a plain text editor, and there is no reference anywhere to 'financediamond' at all. So why is the FREEMAIL_FROM rule referring to that address? Is it a bug maybe? Could it perhaps be crossing wires with another email which my SpamAssassin was scanning at the same time, or something like that?? Example #2: Here is the FREEMAIL_FROM results from another email that was scanned by my SpamAssassin recently. This one was not spam - it was a legitimate email sent to a mailing list which is managed by my mail server: - X-Spam-Report: * 0.0 FREEMAIL_FROM Sender email is freemail (munged[at]gmail.com) * (munged[at]gmail.com) (munged[at]gmail.com) * (munged[at]gmail.com) (munged[at]gmail.com) * (munged[at]gmail.com) (munged[at]gmail.com) * (munged[at]gmail.com) (munged[at]gmail.com) * (munged[at]gmail.com) (munged[at]gmail.com) * (munged[at]gmail.com) (munged[at]gmail.com) * (munged[at]gmail.com) (munged[at]gmail.com) * (munged[at]gmail.com) (munged[at]gmail.com) * (munged[at]gmail.com) From: Joe Citizen mun...@gmail.com - I've munged the sender's name and email address, but as you can see, the sender's email address was listed multiple times within the FREEMAIL_FROM results there (that's the exact same address each time). But the sender's address definitely does not appear that many times within the headers and body of the email! So this looks very odd to me. One possible explanation: the sender was sending an email to a mailing list on my server. My server then generates one copy of the email for each recipient on the mailing list, and sends all of those copies through SpamAssassin before sending them out to the recipients. So SpamAssassin is scanning multiple copies of the same message at the same time (only the TO field is different in each one). So perhaps, somehow, as the FREEMAIL_FROM rule is scanning all these messages at once from the same sender, the rule is sending its results back to the SpamAssassin engine in such a way that SA mistakenly thinks they all relate to the same message rather than to multiple messages, and so SA puts all the results into the one FREEMAIL_FROM entry in the headers, as shown above. If you know what I mean. However that still seems like there's a bug or something, because I've never had a similar problem with any other rules at all, even with emails sent through a mailing list like this. It's only the FREEMAIL_FROM rule that does this. Any ideas? Cheers, Jeremy
Re: More freemail URI spam
On 2010-04-17 21:04, Alex wrote: Maybe someone knows of a list of all the URL shorteners to be used in a combo uri/meta rule? I very much doubt that you'll find a list of *all* the URL shorteners. New ones crops up all the time, and old ones disappears. Marc Perkel posted about a DNS based list he's hosting a while back. I'm attaching that message to this one. Regards /Jonas -- Jonas Eckerman Fruktträdet Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/ ---BeginMessage--- I don't know if it will be useful but I made a short URL provider list that is DNS readable. I got the list here: http://longurl.org/services It's a host name RBL and you can read it as follows: dig tinyurl.com.shorturl.junkemailfilter.com Let me know if you find a use for it. ---End Message---
Re: More freemail URI spam
On 2010-04-17 23:51, Alex wrote: Somebody on this list wrote a parser to actually parse shorteners to their obscured URLs. That would sure be great. I hadn't seen that, but would like to know more about it. Sounds like a better solution... That'd be me. It's a plugin called URLRedirect and it's available at http://whatever.frukt.org/spamassassin.text.shtml It can use Marc's DNS based URL shortener list. Regards /Jonas -- Jonas Eckerman Fruktträdet Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
RE: More freemail URI spam
Generally speaking, anything deemed worthwhile is added to SA proper (unless there's a licensing question). The exceptions come from automated rules (like Sought, MBL, SARE 2tld, and Khop-sc-neighbors), 90_2tld.cf has been replaced by the official rule file 20_aux_tlds.cf. From the comments in that file: # This file replaces the SARE http://www.rulesemporium.com/rules/90_2tld.cf # which will be deprecated as from 2010-05-01
Re: More freemail URI spam
On 04/18/2010 11:15 PM, Alex wrote: Incidentally, are there other CustomRulesets that you think should or shouldn't be used? http://wiki.apache.org/spamassassin/CustomRulesets At the least, the Chickpox and backhair, by the same author, should noted on this page that they're no longer recommended, in the same way sa-blacklist or others are listed. Sought and MBL are still active. My stuff is active but I haven't gotten around to posting there. I'm not sure if anything else there is active. Lots of it IS posted with date info or listed as inactive or otherwise ill advised. Lots more is NOT. If we can determine what each one's status is, we might get a volunteer (maybe me) to go in and update it. Back-dating would require looking at the wiki history. Generally speaking, anything deemed worthwhile is added to SA proper (unless there's a licensing question). The exceptions come from automated rules (like Sought, MBL, SARE 2tld, and Khop-sc-neighbors), plugin-dependent rules, and language-specific rules (if you happen to be an outlier who receives things in those languages and need help distinguishing ham from spam, but textcat and relaycountry are preferable if you don't get ham in that language). signature.asc Description: OpenPGP digital signature
Re: More freemail URI spam
Hi, Yes, big help. That did it, using the default scores. This was written a number of years ago. Do you think it's still safe to use the default scores? NO! I put some of the (previously) better-performing chickenpox rules into my sandbox a while ago to investigate this. It's still there: Incidentally, are there other CustomRulesets that you think should or shouldn't be used? http://wiki.apache.org/spamassassin/CustomRulesets At the least, the Chickpox and backhair, by the same author, should noted on this page that they're no longer recommended, in the same way sa-blacklist or others are listed. It's also a bit strange that among all the antiquated rule sets is the sought rules, as if it were just another third-party static rules file. Thanks, Alex
More freemail URI spam
Hi, I'm hoping someone can help me with a rule to catch URI spam variation from freemail domains: http://pastebin.com/SkrKykYj This one is another urlshortener. How is this class of redirection spam being stopped by everyone these days? I've tried to adapt the ones I have, but this is very generic. I guess it's so generic that it has a lot of similarities with valid hotmail email, thus causing BAYES_50? How are these messages being sent? Through compromised legitimate hotmail accounts? Someone from a remote network connects to hotmail via SMTP directly, authorizes themselves as a user of a compromised account (SMTP auth?), then pipes their spam through their server as that user? Thanks, Alex
Re: More freemail URI spam
On Sat, 17 Apr 2010, Alex wrote: I'm hoping someone can help me with a rule to catch URI spam variation from freemail domains: http://pastebin.com/SkrKykYj You might want to look into the old Chickenpox rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ten-millimeter explosive-tip caseless, standard light armor piercing rounds. Why? --- 2 days until the 235th anniversary of The Shot Heard 'Round The World
Re: More freemail URI spam
Hi, http://pastebin.com/SkrKykYj You might want to look into the old Chickenpox rule. Yes, big help. That did it, using the default scores. This was written a number of years ago. Do you think it's still safe to use the default scores? I still wish I had a better grasp on regex so I could write a correct rule to catch these, as I think that is probably the best approach. Maybe someone knows of a list of all the URL shorteners to be used in a combo uri/meta rule? Since the whole point is to shorten the URL, I bet I could write something that categorically checks for a URL that's short -- small host part plus small pathname... Thanks, Alex
Re: More freemail URI spam
On Sat, 17 Apr 2010, Alex wrote: http://pastebin.com/SkrKykYj You might want to look into the old Chickenpox rule. Yes, big help. That did it, using the default scores. This was written a number of years ago. Do you think it's still safe to use the default scores? I think the problems that Chicken pox has recently are primarily due to non-English languages. If your mail stream includes non-English text, you might look into the FP rate and consider a meta with the charset or some other language indicator to reduce the score for it on non-English messages. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- 2 days until the 235th anniversary of The Shot Heard 'Round The World
Re: More freemail URI spam
You might want to look into the old Chickenpox rule. On 04/17/2010 03:04 PM, Alex wrote: Yes, big help. That did it, using the default scores. This was written a number of years ago. Do you think it's still safe to use the default scores? NO! I put some of the (previously) better-performing chickenpox rules into my sandbox a while ago to investigate this. It's still there: Now: http://ruleqa.spamassassin.org/?rule=/CHICKENPOX 2004: http://wiki.apache.org/spamassassin/MasscheckChickenpox They are abysmal; the best S/O was 0.339, which means it hit more ham than spam. I still wish I had a better grasp on regex so I could write a correct rule to catch these, as I think that is probably the best approach. Maybe someone knows of a list of all the URL shorteners to be used in a combo uri/meta rule? Since the whole point is to shorten the URL, I bet I could write something that categorically checks for a URL that's short -- small host part plus small pathname... Somebody on this list wrote a parser to actually parse shorteners to their obscured URLs. You're looking at something far simpler, which we can certainly try. I've checked in a test at r935257 http://tinyurl.com/sa-r935257 (using a shortened link seemed appropriate here). This adds two rules, URL_SHORTENER (which detects a known URL shortening service) and SHORT_URL (which notices a particularly short ccTLD link that does NOT use a known shortening service). signature.asc Description: OpenPGP digital signature
Re: More freemail URI spam
Hi, Yes, big help. That did it, using the default scores. This was written a number of years ago. Do you think it's still safe to use the default scores? NO! I put some of the (previously) better-performing chickenpox rules into my sandbox a while ago to investigate this. It's still there: Okay, great, thanks for the follow-up. I'll be sure to not use those and concentrate on the URL shortener improvements. Somebody on this list wrote a parser to actually parse shorteners to their obscured URLs. That would sure be great. I hadn't seen that, but would like to know more about it. Sounds like a better solution... I've checked in a test at r935257 http://tinyurl.com/sa-r935257 (using a shortened link seemed appropriate here). This adds two rules, URL_SHORTENER (which detects a known URL shortening service) and SHORT_URL (which notices a particularly short ccTLD link that does NOT use a known shortening service). That's great. I still need to learn more about how masschecks works to understand the output from what you've posted, but will continue to follow it. Thanks, Alex
Re: Freemail Rule help
John Hardin wrote:
On Tue, 6 Apr 2010, Ned Slider wrote:
John Hardin wrote:
On Tue, 6 Apr 2010, Ned Slider wrote:
uriLOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describe LOCAL_URI_BITLY contains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want
to penalize them?
As I said, I use that rule in a meta rule combining with FROM_HOTMAIL.
You _also_ use it in a meta. The rule quoted above assigns one point (by
default) to any bit.ly URL, regardless of whether it appears in a
message received from hotmail.
Ah, I tend to remove the (my) score line when posting to this list so
people do not copy my rules verbatim, but think about their own scoring.
I had actually scored it at 0.001 for information (I originally wanted
to check that it was hitting). I had forgotten the rules without a score
will score 1 by default. Good point, and thank you for reminding me :)
Freemail Rule help
Hi,
I'm having a problem with emails that are from a freemail domain with
simply a shorturl in them, like this:
bra
href=http://bit.ly/aqI4o1http://bit.ly/aqI4o1/Benjamin/abrbrbrlovee
yabr
rawbodyLOC_BITLY
/href\=http:\/\/bit\.ly\/.+\w{1,8}http:\/\/bit\.ly\/.+\w{1,15}\/.+\w{1,15}\/abrbr/
Is this the most effective and best way to accomplish this? I believe
it works (reliably?) but am concerned about what seemed to be
excessive memory usage and false positives, obviously. Do you have any
suggestions to improve this?
It also seems that no matter how many times I train these they don't
score higher than BAYES_50, at least the FNs.
Thanks,
Alex
Re: Freemail Rule help
Alex wrote:
Hi,
I'm having a problem with emails that are from a freemail domain with
simply a shorturl in them, like this:
bra
href=http://bit.ly/aqI4o1http://bit.ly/aqI4o1/Benjamin/abrbrbrlovee
yabr
rawbodyLOC_BITLY
/href\=http:\/\/bit\.ly\/.+\w{1,8}http:\/\/bit\.ly\/.+\w{1,15}\/.+\w{1,15}\/abrbr/
Is this the most effective and best way to accomplish this? I believe
it works (reliably?) but am concerned about what seemed to be
excessive memory usage and false positives, obviously. Do you have any
suggestions to improve this?
It also seems that no matter how many times I train these they don't
score higher than BAYES_50, at least the FNs.
Thanks,
Alex
I'm seeing these mostly from hotmail accounts so I use a URI rule
(rather than your rawbody example) and meta it with FROM_HOTMAIL. For
example,
uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describeLOCAL_URI_BITLY contains bit.ly link
metaLOCAL_HOTMAIL_SPAM_URI (__FROM_HOTMAIL_COM LOCAL_URI_BITLY)
describeLOCAL_HOTMAIL_SPAM_URI From hotmail.com and bit.ly
I've been training these hotmail with links spam for months, and they
all score BAYES_99 for me.
Re: Freemail Rule help
On Tue, 6 Apr 2010, Ned Slider wrote:
uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describeLOCAL_URI_BITLY contains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want to
penalize them?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
So Microsoft's invented the ASCII equivalent to ugly ink spots that
appear on your letter when your pen is malfunctioning.
-- Greg Andrews, about Microsoft's way to encode apostrophes
---
7 days until Thomas Jefferson's 267th Birthday
Re: Freemail Rule help
John Hardin wrote:
On Tue, 6 Apr 2010, Ned Slider wrote:
uriLOCAL_URI_BITLYm{https?://bit\.ly/\w{6}}
describeLOCAL_URI_BITLYcontains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want to
penalize them?
As I said, I use that rule in a meta rule combining with FROM_HOTMAIL.
Anyway, for *me* and with *my* mail flow - yes, I want to penalize
bit.ly in emails sent from hotmail.com, as they are without exception
spam. In fact I suspect we all penalize a lot of legitimate domains that
regularly appear in spam (abused by spammers).
Anyway, the purpose of my response was more to illustrate that Alex
could use a URI rule to match, rather that the rawbody rule he cited :)
Re: Freemail Rule help
On Tue, 6 Apr 2010, Ned Slider wrote:
John Hardin wrote:
On Tue, 6 Apr 2010, Ned Slider wrote:
uriLOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describe LOCAL_URI_BITLY contains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want
to penalize them?
As I said, I use that rule in a meta rule combining with FROM_HOTMAIL.
You _also_ use it in a meta. The rule quoted above assigns one point (by
default) to any bit.ly URL, regardless of whether it appears in a message
received from hotmail.
Anyway, for *me* and with *my* mail flow - yes, I want to penalize
bit.ly in emails sent from hotmail.com, as they are without exception
spam. In fact I suspect we all penalize a lot of legitimate domains that
regularly appear in spam (abused by spammers).
That's likely true. No big deal, as it's not a poison pill; I was just
wondering whether you actually did intend to _always_ punish bit.ly URLs
or whether you omitted the __ by mistake.
Anyway, the purpose of my response was more to illustrate that Alex
could use a URI rule to match, rather that the rawbody rule he cited :)
True, and a good example.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Windows Genuine Advantage (WGA) means that now you use your
computer at the sufferance of Microsoft Corporation. They can
kill it remotely without your consent at any time for any reason;
it also shuts down in sympathy when the servers at Microsoft crash.
---
7 days until Thomas Jefferson's 267th Birthday
Re: Freemail Rule help
Hi,
uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describe LOCAL_URI_BITLY contains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want to
penalize them?
Yes, I don't at all like to do this, but it doesn't take too many of
these before people complain, and it's more likely they'd receive one
that's spam than a valid URL.
Nonetheless,. I would like to add to that the other HTML tags to
further qualify it, which is why I was using a rawbody over just a
URI. For the time-being, I have Ned's suggestion in place over mine
because mine has problems,. along with additional qualifiers (such as
FREEMAIL_FROM) to further reduce the FPs.
Other suggestions welcome...
Thanks,
Alex
Re: Freemail Rule help
On Tue, 6 Apr 2010, Alex wrote:
uriLOCAL_URI_BITLYm{https?://bit\.ly/\w{6}}
For the time-being, I have Ned's suggestion in place over mine because
mine has problems,. along with additional qualifiers (such as
FREEMAIL_FROM) to further reduce the FPs.
Other suggestions welcome...
I'll throw it in the sandbox and see what likely combinations present
themselves. It'll take a couple of days.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
---
7 days until Thomas Jefferson's 267th Birthday
Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)
Adam Katz wrote:
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
That won't catch
http://www.spammer.example.com/.../hidden-malware.asf, it will only
catch the relative url form ../path/to/content which SA improperly
prefaces with http://;
uri URI_HIDDEN /.{8}\/\../
Works for me:
$ echo http://www.spammer.example.com/.../hidden-malware.asf |perl -ne
'$_ = http://$_; unless m{^[a-z]+://}; print hits\n if /.{8}\/\../'
hits
$
$ echo 'href=../not/a/hidden/directory' |perl -ne '$_ = http://$_;
unless m{^[a-z]+://}; print hits\n if /.{8}\/\../'
$
For some time now I've been running
uri LOCAL_URI_HIDDEN_DIR/.{8}\/\../
as discussed above and it works extremely well with few FPs.
However, today I did notice a FP on this type of URI with multiple
relative paths:
../../../../blah
So I've refined the rule to specifically exclude hitting on the sequence
../. which stops the rule triggering on multiple relative paths.
uri LOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
Tested, and all seems good so feel free to update if you're using this
rule locally.
Note: I'm still on 3.2.5 so I don't know if this rule ever got
officially picked up in 3.3.x
Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)
On Mon, 8 Mar 2010, Ned Slider wrote:
Adam Katz wrote:
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
That won't catch
http://www.spammer.example.com/.../hidden-malware.asf, it will only
catch the relative url form ../path/to/content which SA improperly
prefaces with http://;
uri URI_HIDDEN /.{8}\/\../
Works for me:
$ echo http://www.spammer.example.com/.../hidden-malware.asf |perl -ne
'$_ = http://$_; unless m{^[a-z]+://}; print hits\n if /.{8}\/\../'
hits
$
$ echo 'href=../not/a/hidden/directory' |perl -ne '$_ = http://$_;
unless m{^[a-z]+://}; print hits\n if /.{8}\/\../'
$
For some time now I've been running
uri LOCAL_URI_HIDDEN_DIR/.{8}\/\../
as discussed above and it works extremely well with few FPs.
However, today I did notice a FP on this type of URI with multiple relative
paths:
../../../../blah
So I've refined the rule to specifically exclude hitting on the sequence ../.
which stops the rule triggering on multiple relative paths.
uri LOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
How about:
uri LOCAL_URI_HIDDEN_DIRm;.{8}/\..(?!/);
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
---
6 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)
John Hardin wrote:
On Mon, 8 Mar 2010, Ned Slider wrote:
So I've refined the rule to specifically exclude hitting on the
sequence ../. which stops the rule triggering on multiple relative paths.
uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
How about:
uri LOCAL_URI_HIDDEN_DIRm;.{8}/\..(?!/);
Yes, that works too on my examples and is probably a more elegant
solution than mine :-)
John - are you able to try this rule in your sandbox and do mass checks?
I'd be interested to see how it scores.
Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)
On Mon, 8 Mar 2010, Ned Slider wrote:
John Hardin wrote:
On Mon, 8 Mar 2010, Ned Slider wrote:
So I've refined the rule to specifically exclude hitting on the sequence
../. which stops the rule triggering on multiple relative paths.
uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
How about:
uri LOCAL_URI_HIDDEN_DIRm;.{8}/\..(?!/);
Yes, that works too on my examples and is probably a more elegant solution
than mine :-)
John - are you able to try this rule in your sandbox and do mass checks? I'd
be interested to see how it scores.
I'll add it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
---
6 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: freemail vs dkim / spf
R-Elists wrote: perkel wrote: I have yet to find ANY use for SPF. And SPF causes nothing but problems. Marc, why nothing but problems? is a lot of your system mail forward orientated? care to elaborate w/o going into the same old SPF diatribe? maybe there is something useful you havent had the aha factor on... - rh On 07.12.09 11:59, Marc Perkel wrote: Definitely no AHA. It breaks forwarding. Tell me about the aha. It does NOT break e-mail forwarding. What is _affected_ by SPF is mail forwarding without changing mail from:, which is already broken by design. Since the original sender sends mail to forwarder, not to forwarded address, and it's the forwarder, who sends mail to forwarded address - thus the forwarder should take care about deliverability and should not provide senders address. Btw, please configure your MUA to quote, and use plaintext e-mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question!
Re: freemail vs dkim / spf
On Sun, 6 Dec 2009, Benny Pedersen wrote: i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? Nope. I run an ISP and basically my SPF amounts to 'neutral' because my users can send mail from any access anywhere in the world with our addresses on it (a situation that may change if I get SMTP-AUTH working). So unless SA differentiates between a *result* of 'neutral' and the simple absence of an SPF record, then our mail would be classified as 'free' by this logic, even though it is not - Charles
Re: freemail vs dkim / spf
On Sun, 6 Dec 2009, Benny Pedersen wrote: i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? On 07.12.09 12:23, Charles Gregory wrote: Nope. I run an ISP and basically my SPF amounts to 'neutral' because my users can send mail from any access anywhere in the world with our addresses on it (a situation that may change if I get SMTP-AUTH working). So unless SA differentiates between a *result* of 'neutral' and the simple absence of an SPF record, then our mail would be classified as 'free' by this logic, even though it is not it does: score SPF_HELO_NEUTRAL 2.231 2.000 0.744 0.576 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: freemail vs dkim / spf
Matus UHLAR - fantomas wrote: On Sun, 6 Dec 2009, Benny Pedersen wrote: i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? On 07.12.09 12:23, Charles Gregory wrote: Nope. I run an ISP and basically my SPF amounts to 'neutral' because my users can send mail from any access anywhere in the world with our addresses on it (a situation that may change if I get SMTP-AUTH working). So unless SA differentiates between a *result* of 'neutral' and the simple absence of an SPF record, then our mail would be classified as 'free' by this logic, even though it is not it does: score SPF_HELO_NEUTRAL 2.231 2.000 0.744 0.576 I have yet to find ANY use for SPF. And SPF causes nothing but problems.
RE: freemail vs dkim / spf
perkel wrote: I have yet to find ANY use for SPF. And SPF causes nothing but problems. Marc, why nothing but problems? is a lot of your system mail forward orientated? care to elaborate w/o going into the same old SPF diatribe? maybe there is something useful you havent had the aha factor on... - rh
Re: freemail vs dkim / spf
R-Elists wrote: perkel wrote: I have yet to find ANY use for SPF. And SPF causes nothing but problems. Marc, why nothing but problems? is a lot of your system "mail forward" orientated? care to elaboratew/o going into thesame old SPF diatribe? maybe there is something useful you haventhad the "aha" factoron... - rh Definitely no AHA. It breaks forwarding. Tell me about the aha.
Re: freemail vs dkim / spf
On 07/12/2009 19:13, Marc Perkel wrote: I have yet to find ANY use for SPF. And SPF causes nothing but problems. You can't have been looking very hard then. I whitelist mail from this list and spam-l with these simple SPF rules in my user_prefs: whitelist_from_spf *...@*.apache.org whitelist_from_spf *...@spam-l.com Very useful. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/ Technical Blog: https://secure.grepular.com/blog/
Re: freemail vs dkim / spf
Benny Pedersen wrote: i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? i dont know if it require code changes to do this, but it make sense for me atleast to make it, no ? objection, flames as i like to know how other thinks about it nothing in the RFC's requires the use of SPF or DKIM. (even if RFC's require RDNS, valid hostnames, valid matching helo, you will lose legit email if you bounce email that violates rfc's) RFC's require a working postmaster and abuse address (see www.rfc-ignorant.org), but you will bounce legit email if you use that. My point is two fold: #1, SPF and DKIM are not RFC required, and the lack of (or use of) these doesn't indicate freemail or not. #2, even if it WAS required by RFC's, not all legit mail servers will use it (they can't even get their RDNS right) oh, and that means we should mark all email from this mailing lists as freemail, because: #1, it doesn't use SPF records #2, it doesn't use DKIM signing (yes, maybe YOU signed your email with DKIM, but apache added stuff to the bottom of the email and broke the sig), AND, they don't use SPF) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: freemail vs dkim / spf
On Dec 6, 2009, at 12:02 AM, Benny Pedersen m...@junc.org wrote: i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? Sorry, but SPF and DKIM simply don't have the saturation required for that. You could consider freemail without SPF or DKIM to be unverified freemail and give them an extra point or so, but beyond that I wouldn't see it as a useful spam sign. -- Dan McDonald
Re: freemail vs dkim / spf
On Sun, Dec 06, 2009 at 07:14:31AM -0600, McDonald, Dan wrote: On Dec 6, 2009, at 12:02 AM, Benny Pedersen m...@junc.org wrote: i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? Sorry, but SPF and DKIM simply don't have the saturation required for that. You could consider freemail without SPF or DKIM to be unverified freemail and give them an extra point or so, but beyond that I wouldn't see it as a useful spam sign. And all this can be done with meta rules if you want to, no need to touch freemail code. I'll leave it as the OPs exercise..
Re: freemail vs dkim / spf
Benny Pedersen wrote: i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? i dont know if it require code changes to do this, but it make sense for me atleast to make it, no ? objection, flames as i like to know how other thinks about it I don't see the relationship that SPF has to freemail domains.
Re: freemail vs dkim / spf
On Dec 6, 2009, at 12:56 PM, Marc Perkel m...@perkel.com wrote: Benny Pedersen wrote: i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? I don't see the relationship that SPF has to freemail domains. Most freemail domains support either SPF or DKIM. But I can't form a syllogism that helps much, other than: * spam often spoofs freemail addresses * ham freemail usually matches SPF or is DKIM signed * therefore, unsigned/unmatched freemail is likely spam. But I think my daughter's logic teacher would be unconvinced... -- Dan McDonald
freemail vs dkim / spf
i think it could be added to freemail.pm to test if sender domain have spf or dkim and if no spf and or no dkim consider it as a freemail domain ? i dont know if it require code changes to do this, but it make sense for me atleast to make it, no ? objection, flames as i like to know how other thinks about it -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: more freemail domains: tunome.com
On 23-Jun-2009, at 06:31, McDonald, Dan wrote: Guess I'd best make a list... Share? -- We all need help with our feelings. Otherwise, we bottle them up, and before you know it powerful laxatives are involved.
more freemail domains: tunome.com
AOL is making it easier for spammers to come up with unique names to avoid the freemail.pm plugin. They have a service called tunome.com with about 150 domains that are freemail. I just received a lottery spam that used two of the tunome.com aliases. Guess I'd best make a list... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
RE: more freemail domains: tunome.com
Ahh gotta love AOL!! Look forward to seeing that list(Or part there of) -Original Message- From: McDonald, Dan [mailto:dan.mcdon...@austinenergy.com] Sent: Tuesday, 23 June 2009 10:02 PM To: users@spamassassin.apache.org Subject: more freemail domains: tunome.com AOL is making it easier for spammers to come up with unique names to avoid the freemail.pm plugin. They have a service called tunome.com with about 150 domains that are freemail. I just received a lottery spam that used two of the tunome.com aliases. Guess I'd best make a list... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: FreeMail plugin updated
On Sun, May 10, 2009 at 01:08:29PM +0300, Henrik K wrote:
http://sa.hege.li/FreeMail.pm (see inside for some documentation)
http://sa.hege.li/FreeMail.cf (for some examples)
I've added suggestion for this:
header __freemail_reply eval:check_freemail_replyto('reply')
meta FREEMAIL_REPLY (__freemail_reply !FREEMAIL_REPLYTO)
describe FREEMAIL_REPLY From and body are different freemails
score FREEMAIL_REPLY 1
There is lots of mail that doesn't have Reply-To, only different From+body.
You need to use the new 'reply' option for this, the original rule only
works if Reply-To exists.
Cheers,
Henrik
Re: FreeMail plugin updated - banks
LuKreme wrote: On 12-May-2009, at 18:27, John Hardin wrote: uri URI_HIDDEN/\/\../ Ah, that's very very nice. Scoring it at 3.0, too aggressive? I'd say so - I'm seeing lots of FPs on this, most prominently on mail from mail.elsevier-alerts.com -- Adam Stephens Network Specialist - Email DNS adam.steph...@bristol.ac.uk
Re: FreeMail plugin updated - banks
On Fri, 15 May 2009, Adam Stephens wrote: LuKreme wrote: On 12-May-2009, at 18:27, John Hardin wrote: uri URI_HIDDEN/\/\../ Ah, that's very very nice. Scoring it at 3.0, too aggressive? I'd say so - I'm seeing lots of FPs on this, most prominently on mail from mail.elsevier-alerts.com Really? Sites are sending out legitimate URLs pointing to hidden directories? Could you post an example, please? This I gotta see... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the place of government to make right every tragedy and woe that befalls every resident of the nation. --- 6 days until the 5th anniversary of SpaceshipOne winning the X-prize
Re: FreeMail plugin updated - banks
Adam Stephens wrote: LuKreme wrote: On 12-May-2009, at 18:27, John Hardin wrote: uri URI_HIDDEN/\/\../ Ah, that's very very nice. Scoring it at 3.0, too aggressive? I'd say so - I'm seeing lots of FPs on this, most prominently on mail from mail.elsevier-alerts.com I believe if the rule is strict enough such that it doesn't FP, then a score of 3 is not inappropriate. The problem with the rule as it stands above is that it appears to be hitting on something other than /. in a URI I saw a FP on this today also that I don't quite understand. I searched the text of the email and no matches against the string \. were found (most likely as the encoding was quoted-printable) and manually checking the URIs didn't help much either. I'm not sure what's causing it to FP. In the meantime I' going to revert to something closer to my original implementation which doesn't FP on the examples I have: uri URI_HIDDEN /\w/\.\w/
Re: FreeMail plugin updated - banks
John Hardin wrote: On Fri, 15 May 2009, Adam Stephens wrote: LuKreme wrote: On 12-May-2009, at 18:27, John Hardin wrote: uri URI_HIDDEN/\/\../ Ah, that's very very nice. Scoring it at 3.0, too aggressive? I'd say so - I'm seeing lots of FPs on this, most prominently on mail from mail.elsevier-alerts.com Really? Sites are sending out legitimate URLs pointing to hidden directories? Could you post an example, please? This I gotta see... I don't so much think it's a case of them containing hidden dirs, but rather for some reason the rule misfires (maybe??). Anyway, here's an example I saw today where I can't see why the rule fired: http://pastebin.com/m1268fbe6
