Re: is DOS_OUTLOOK_TO_MX too low?
Joseph Brennan wrote: I looked at our spam reports (spam that was not rejected). It looks to me like the biggest target to go for is mail supposedly from The Bat! direct to your MX. Most of the supposed The Bat! spam matches, and it is very low scoring. Yes - I just saw that too - like Outlook, "The Bat!" is a MUA and shouldn't be making direct connections to other SMTP servers. Most of our reported spam supposedly from Outlook has a faked Received header at the bottom, making it look as if the real origin is the next hop, as if it was the smtp server. Yeah - it is true that all the spammers have to do is add a good faked Received: header to bypass any work done in this area. However, there are obviously still some stupid spammers out there ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: is DOS_OUTLOOK_TO_MX too low?
> For those that don't know it means "Delivered direct to MX with Outlook > headers". Sounds like a good rule: Outlook isn't a MTA so shouldn't be > able to connect directly to MX records - except for it's configured > SMTP server. I looked at our spam reports (spam that was not rejected). It looks to me like the biggest target to go for is mail supposedly from The Bat! direct to your MX. Most of the supposed The Bat! spam matches, and it is very low scoring. Most of our reported spam supposedly from Outlook has a faked Received header at the bottom, making it look as if the real origin is the next hop, as if it was the smtp server. Joseph Brennan Columbia University Information Technology
Re: is DOS_OUTLOOK_TO_MX too low?
On Sat, 2008-01-26 at 20:37 -0500, Daryl C. W. O'Shea wrote:
> Jason Haar wrote:
> > I just got a spam msg with a score of 4/5 and for the first time noticed
> > the DOS_OUTLOOK_TO_MX rule.
> >
> > For those that don't know it means "Delivered direct to MX with Outlook
> > headers". Sounds like a good rule: Outlook isn't a MTA so shouldn't be
> > able to connect directly to MX records - except for it's configured SMTP
> > server.
>
> The rule does work good... 50% of its spam hits are on mail scored 5 or
> less.
Indeed, this rule seems to hit mostly on "low scoring" mail. Granted, I
checked against 2 weeks worth of spam only -- however, the hits in 15+
scoring spam are almost negligible. But it does hit a few percent in my
10-15 range. (Note: These results include some special, custom crafted
rules which apply to my env only.)
This does have some potential, to push a few more spams above the edge
of 15 points. No hits in my 0.08% of FNs, though.
Thanks, Daryl, for the rule and the reassuring explanation! And thanks
Jason for bringing it up in the first place. If you'd excuse me now,
I'll go raise that score. :)
> > But it only has a score of 1.0. I just looked through a weeks worth of
> > SA logs and all the emails we received that triggered DOS_OUTLOOK_TO_MX
> > - but didn't get tagged as spam - were spam. So it seems to me that rule
> > is a better indicator than it's given credit for?
>
> When I wrote the rule and added it to the updates, in September, it was
> scoring poorly due to what I believe was probably dirty corpora. I
> didn't have the tuits at the time to investigate it. Current mass-check
> results show that it hit on 12 of 164,411 ham messages (all from zmi's
> corpus of 6175 ham messages), so not too bad.
Hmm, given these rare hits are isolated in a *single* corpus (0.2%, in
contrast of a whopping 0.0073% total) it would be really interesting to
investigate the reason for these hits.
Hey, it's checking 12 messages only! I'd even volunteer doing this. ;)
> > In fact, shouldn't that rule be generalized to DOS_MUA_TO_MX? I mean the
> > same rule applies for Thunderbird, mutt, etc...? If there's a X-Mailer:
> > header, then there should be an intermediary MTA before it hits yours?
I'm not sure about that generalization. What about web-site feedback
form mailers -- which "your" users might use? I've seen them add these
headers, too. Point is, they are no MUAs.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: is DOS_OUTLOOK_TO_MX too low?
Jason Haar wrote: > Hi there > > I just got a spam msg with a score of 4/5 and for the first time noticed > the DOS_OUTLOOK_TO_MX rule. > > For those that don't know it means "Delivered direct to MX with Outlook > headers". Sounds like a good rule: Outlook isn't a MTA so shouldn't be > able to connect directly to MX records - except for it's configured SMTP > server. The rule does work good... 50% of its spam hits are on mail scored 5 or less. > But it only has a score of 1.0. I just looked through a weeks worth of > SA logs and all the emails we received that triggered DOS_OUTLOOK_TO_MX > - but didn't get tagged as spam - were spam. So it seems to me that rule > is a better indicator than it's given credit for? When I wrote the rule and added it to the updates, in September, it was scoring poorly due to what I believe was probably dirty corpora. I didn't have the tuits at the time to investigate it. Current mass-check results show that it hit on 12 of 164,411 ham messages (all from zmi's corpus of 6175 ham messages), so not too bad. > As long as our network is configured to handle our own SMTP clients > correctly (as it is: we don't run SA on locally generated mail), does > anyone see a problem with pushing that score up to (say) 3.0? Part of the reason I didn't initially increase the score was that it's not unheard of for Outlook headers to show up in list mail... some mailing lists strip all existing received headers before sending the mail (the rule tries to detect that though) and there's the case of people composing a message in Outlook and then sending it with their mass email program directly to your MX. So FPs are conceptually possible. Current scoring suggests that 3.6 would be suitable (it's what would get assigned if we cut a release today and made no manually adjustments), so 3.0 should be safe. > In fact, shouldn't that rule be generalized to DOS_MUA_TO_MX? I mean the > same rule applies for Thunderbird, mutt, etc...? If there's a X-Mailer: > header, then there should be an intermediary MTA before it hits yours? I targeted Outlook and OE headers since they are (and were at the time) the ones most abused and were the only spams I had seen with MUA headers and no extra received headers that were getting though SA. Adding a rule for other MUAs wouldn't necessarily be a bad idea... it's basically a free rule processing wise (you can probably do it entirely with a meta rule... we already have rules for many MUAs). You just have to keep in mind that the more MUAs you accept for the rule the greater the chance of the list mail style FPs. I've yet to see spam that would 'benefit' from such a rule so haven't yet bothered with weighing this FP risk. Additionally, and as you've mentioned this doesn't apply to you, there's the issue of releasing such a rule to everyone since there are s many setups out there with completely broken trust configurations. Daryl
is DOS_OUTLOOK_TO_MX too low?
Hi there I just got a spam msg with a score of 4/5 and for the first time noticed the DOS_OUTLOOK_TO_MX rule. For those that don't know it means "Delivered direct to MX with Outlook headers". Sounds like a good rule: Outlook isn't a MTA so shouldn't be able to connect directly to MX records - except for it's configured SMTP server. But it only has a score of 1.0. I just looked through a weeks worth of SA logs and all the emails we received that triggered DOS_OUTLOOK_TO_MX - but didn't get tagged as spam - were spam. So it seems to me that rule is a better indicator than it's given credit for? As long as our network is configured to handle our own SMTP clients correctly (as it is: we don't run SA on locally generated mail), does anyone see a problem with pushing that score up to (say) 3.0? In fact, shouldn't that rule be generalized to DOS_MUA_TO_MX? I mean the same rule applies for Thunderbird, mutt, etc...? If there's a X-Mailer: header, then there should be an intermediary MTA before it hits yours? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
