I forgot to also mention honeypots here.
Create a few accounts whose sole purpose is finding these phishing
attacks. They are email accounts which will appear to fall victim to
the attack, sending their "password" which gains "access" to the
company's web portal. Of course, all this "access" doe
Jesse Thompson wrote:
> Possible values for TYPE:
> E: The ADDRESS (usually in the From header) might receive replies
> but it was not intended to receive the replies.
Oh! That's a new one. Changes my code. My code now supports Z as
requesting a hidden email address, A-J
LuKreme wrote:
> On 1-May-2009, at 12:04, Adam Katz wrote:
>> mimeheader __DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.png\"/
>> body __PNG_240_400 eval:image_size_exact('png',240,400)
>> meta DSCL4DIG_PNG __DSCL4_PNG && __PNG_240_400
>> describe DSCL4DIG_PNG Supposed digital camera
John Hardin wrote:
On Fri, 1 May 2009, Ned Slider wrote:
Can you please explain the rationale behind your scoring. I've just
installed these 3 rules to test and so far either all 3 are being
triggered on spam, or none at all. Presumably BOUNDARY is deemed safer
(less FP potential) than OUTLOO
On Fri, 1 May 2009, Ned Slider wrote:
Can you please explain the rationale behind your scoring. I've just
installed these 3 rules to test and so far either all 3 are being
triggered on spam, or none at all. Presumably BOUNDARY is deemed safer
(less FP potential) than OUTLOOK_12 or OUTLOOK_16.
LuKreme wrote:
This is what I have in local.cf
(single lines)
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
<([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="=_NextPart_000__\1\.\2/msi
# "
header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
<([0-9a-f]{8})\$([0-9a-f]
Mandy wrote:
> I work for a Canadian provincial government, on a system with about
> 50,000 mailboxes. I scanned our outbound mail logs over the past 6
> months with this data. There were 31 replies to "Your webmail is
> expired!! !" type messages in that period.
>
> If we had had been blocking
On Friday 01 May 2009, Karsten Bräckelmann wrote:
>On Fri, 2009-05-01 at 11:23 -0400, Gene Heskett wrote:
>> bayes: unknown packing format for bayes db, please re-learn: 73 at
>> /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
>> 1883.
>>
>> This seems to be repeated at a
On Friday 01 May 2009, Theo Van Dinter wrote:
>I would say it's less someone poisoning your DB and more your DB
>becoming corrupt. As it says, a pack format of dec(73) is not a valid
>value. It's set by the BayesStore module itself, not influenced by
>the token in question.
>
>You can try to do a
On Fri, May 1, 2009 at 7:52 AM, Jesse Thompson
wrote:
> Yet Another Ninja wrote:
>>
>> I'm trying hard to convince myself this data is really useful.
I work for a Canadian provincial government, on a system with about
50,000 mailboxes. I scanned our outbound mail logs over the past 6
months with
On Friday 01 May 2009, Theo Van Dinter wrote:
>I would say it's less someone poisoning your DB and more your DB
>becoming corrupt. As it says, a pack format of dec(73) is not a valid
>value. It's set by the BayesStore module itself, not influenced by
>the token in question.
>
>You can try to do a
jason_quick a écrit :
> Hello,
>
> I have been trying to find a way to automatically move messages that have
> been tagged as spam by SA to my virtual users' .Junk folder. I need this to
> happen server-side because my users use IMAP, and most email clients don't
> allow filtering rules to deposit
On 1-May-2009, at 11:23, jason_quick wrote:
I have been trying to find a way to automatically move messages that
have
been tagged as spam by SA to my virtual users' .Junk folder.
I use procmail to do this on the server.
I need this to
happen server-side because my users use IMAP, and most e
On 1-May-2009, at 12:04, Adam Katz wrote:
mimeheader __DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.png\"/
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta DSCL4DIG_PNG __DSCL4_PNG && __PNG_240_400
describe DSCL4DIG_PNG Supposed digital camera photo is a PNG
Probably t
On 1-May-2009, at 08:48, Charles Gregory wrote:
Uh, what do these 'ratware' rules trigger on?
Spammish message IDs with spammish MIME boundary tags.
Message-ID: <000d01c9c74c$bc2f05d0$6400a...@venomousf>
From: "Shannon England"
Subject: We hae the best alarm-clocks for your little buddy down
John Hardin wrote:
On Fri, 1 May 2009, Adam Katz wrote:
The emailBL mechanism could easily be populated by a spamtrap, but the
danger from false positives (forged sender addresses) would be quite
real.
On a related note: you also need to worry about the phishers
intentionally forging the Rep
On Fri, 2009-05-01 at 14:04 -0400, Adam Katz wrote:
> mimeheader __DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.png\"/
> body __PNG_240_400 eval:image_size_exact('png',240,400)
> meta DSCL4DIG_PNG __DSCL4_PNG && __PNG_240_400
> describe DSCL4DIG_PNG Supposed digital camera photo is
John Hardin wrote:
>> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
> It seems a wave of image spam is going out. Would it be reasonable to
> push this rule (with suitable modifications for length, etc.) and/or the
> ImageInfo version out as a base SA update so that the mo
On Fri, 1 May 2009, John Hardin wrote:
On Fri, 1 May 2009, jason_quick wrote:
I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder.
Strictly speaking that isn't the province of SA. SA is only a scoring tool.
jason_quick wrote:
> Hello,
>
> I have been trying to find a way to automatically move messages that have
> been tagged as spam by SA to my virtual users' .Junk folder. I need this to
> happen server-side because my users use IMAP, and most email clients don't
> allow filtering rules to deposit mai
On Fri, 1 May 2009, jason_quick wrote:
I have been trying to find a way to automatically move messages that
have been tagged as spam by SA to my virtual users' .Junk folder.
Strictly speaking that isn't the province of SA. SA is only a scoring
tool.
procmail-3.22-17.1
If procmail is your
At 10:23 AM 5/1/2009, you wrote:
I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder. I need this to
happen server-side because my users use IMAP, and most email clients don't
allow filtering rules to deposit mail i
On Fri, 1 May 2009, Adam Katz wrote:
John Hardin wrote:
How would the phisher collect the password info from their target using
a forged sender address?
A web form.
Hrm. Okay, I'll buy that. If you're going to spearfish a specific
organization then it would be reasonable to put the effort
Hi Bob,
Am 2009-04-30 21:41:30, schrieb Bob Proulx:
> I was about to write the list and ask if there is a rule that could be
> triggered when a message no only an image part but no text parts. I
> have no idea how to create it but that would be very useful for me and
> this type of spam. As far
Hello,
I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder. I need this to
happen server-side because my users use IMAP, and most email clients don't
allow filtering rules to deposit mail into an IMAP folder. My MTA
John Hardin wrote:
> How would the phisher collect the password info from their target using
> a forged sender address?
A web form.
On Fri, 1 May 2009, Yet Another Ninja wrote:
Only little drawback is how to centralize (or not) all this gold to make
it useful to more than me and my dog.
I (and I'm sure others) would be willing to feed phishing corpa from our
quarantines, so long as it's easy to do.
--
John Hardin KA7OH
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
It seems a wave of image spam is going out. Would it be reasonable to push
this rule (with suitable modifications for length, etc.) and/or the
ImageInfo version out as a base SA update so that the most people can
benefit?
On Fri, 1 May 2009, Adam Katz wrote:
The emailBL mechanism could easily be populated by a spamtrap, but the
danger from false positives (forged sender addresses) would be quite
real.
How would the phisher collect the password info from their target using a
forged sender address?
Suggestion:
On Fri, 1 May 2009, Raymond Dijkxhoorn wrote:
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
Make that 4,5 since they also vary the size of the filenames...
You might also want to use "\d" instead of "[0-9]". Bytes don't grow on
trees, y'know.
:)
--
John Hardin KA7
On Fri, 2009-05-01 at 01:38 -0700, an anonymous Nabble wrote:
> I am trying to get ifspamh working within my .qmail- file but there is
> obviously an error either with the vars set up within the ifspamh file or
> somewhere else as the emails are just looping until I change the
> .qmail- file back.
Dave Funk wrote:
> Bob Proulx wrote:
>> I was about to write the list and ask if there is a rule that could be
>> triggered when a message [contains] only an image part but no text parts.
> There should already be rules for that exact format.
Which rules? I see no rule hits here.
I see that I c
On Fri, 2009-05-01 at 11:23 -0400, Gene Heskett wrote:
> bayes: unknown packing format for bayes db, please re-learn: 73 at
> /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
> 1883.
>
> This seems to be repeated at about 3x for every spam I put in the spam folder.
> Ob
I would say it's less someone poisoning your DB and more your DB
becoming corrupt. As it says, a pack format of dec(73) is not a valid
value. It's set by the BayesStore module itself, not influenced by
the token in question.
You can try to do a dump/verify/restore ... ala:
sa-learn --sync
sa-l
From: Charles Gregory
Date: Fri, 1 May 2009 10:48:00 -0400 (EDT)
Uh, what do these 'ratware' rules trigger on?
The rules trigger on spam with a particular Message-Id and boundary pattern.
How effective are they, and what are the chances of false positives?
For last month the KB
On 5/1/2009 4:52 PM, Jesse Thompson wrote:
Yet Another Ninja wrote:
I'm trying hard to convince myself this data is really useful.
the whole
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
file has 4518 entries, including vintage 2008
compared to the big_b
Greetings all;
I have a script that runs daily against whatever I put in the spam folder, and
it is suddenly having a hard time.
The error:
bayes: unknown packing format for bayes db, please re-learn: 73 at
/usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
1883.
This
I could be asking the same thing as Charles, if I am I apologize.
I installed the rules below, ran the headers.txt file- thru SA and the rules
did not trigger. Do I need to configure something else?
Thanks
Craig
>>> Charles Gregory 5/1/2009 9:48 AM >>>
Uh, what do these 'ratware' rules tri
On Thu, 2009-04-30 at 09:23 -0400, Jean-Paul Natola wrote:
> Hi all,
>
> I just upgraded to 3.2.5 ran sa-update and I got this message with only
one
> rule tripped
>
> I'm putting a link to the message as well as the headers
>
> If anyone can shed some light here , I would appreciate it.
>
On Thu, 30 Apr 2009, LuKreme wrote:
A tip: the PNG takes up considerably more disk space (and thus
loading time) and you're not increasing any quality (since it was
originally lossy).
Actually, the PNGs load considerably faster for me as desktop images,
which is why I convert them.
I agree th
Yet Another Ninja wrote:
I'm trying hard to convince myself this data is really useful.
the whole
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
file has 4518 entries, including vintage 2008
compared to the big_boyz my trap feed is quite small and I collec
Uh, what do these 'ratware' rules trigger on?
How effective are they, and what are the chances of false positives?
- Charles
On Thu, 30 Apr 2009, LuKreme wrote:
(single lines)
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
<([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="=_Ne
On Thu, 30 Apr 2009, LuKreme wrote:
No, the senders AWL HURTS new spam. If the score is -2 from the AWL
then -2 > * -0.2 = 0.4
Ah. Missed the negative. Then this particular piece of the logic is good.
The odds of any AWL(perIP) other than the legit sender having a negative
average are vanishi
Yet Another Ninja wrote:
>> I'm trying hard to convince myself this data is really useful.
>>
>> the whole
>> http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
>> file has 4518 entries, including vintage 2008
>>
>> compared to the big_boyz my trap feed is quite s
Yet Another Ninja wrote:
This is not to suggest that I ever understood the part about using
half-length MD5.
No need. I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses. I must have lost the email I was composing on the topic,
but it's fully propagated by now. I've at
On 5/1/2009 3:56 PM, Adam Katz wrote:
Jeff Moss wrote:
This is not to suggest that I ever understood the part about using
half-length MD5.
No need. I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses. I must have lost the email I was composing on the topic,
but it's ful
Jeff Moss wrote:
> This is not to suggest that I ever understood the part about using
> half-length MD5.
No need. I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses. I must have lost the email I was composing on the topic,
but it's fully propagated by now. I've attached m
I use FuzzyOCR and a large portion of spam is cleared to image.
But the news from *. png does not want to cut out: (
I made a record:
mimeheader GIF_ATTACHMENT Content-Type =~ /image\/gif;\s*(\n\s+)?name=""/
mimeheader PNG_ATTACHMENT Content-Type =~ /image\/png;\s*(\n\s+)?name=""/
How d
>> The chance of a collision really is much smaller than I thought, even
>> including the birthday paradox. But rather than just say it's small and
>> ask you to take my word for it I'm providing a link. The Wikipedia page
>> for Birthday Attack has a chart that shows the probability of collision
On Fri, 1 May 2009, vibi wrote:
> From: vibi
> To: users@spamassassin.apache.org
> Date: Fri, 1 May 2009 02:56:34 -0700 (PDT)
> Subject: spamassassin block *.png
>
> How to use spamassassin block *.png so that going to the quarantine?
> 100% of spam that gets to me a plain e-mail with attachment
Hello,
How to use spamassassin block *.png so that going to the quarantine?
100% of spam that gets to me a plain e-mail with attachment *.png
--
View this message in context:
http://www.nabble.com/spamassassin-block-*.png-tp23330686p23330686.html
Sent from the SpamAssassin - Users mailing list a
Hi!
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
Looks like they've changed from DSL to DSC! I have a few with DSC in today's
quarantine, but they were caught by BOTNET rules. Methinks its time to update
the above rule to look for DS[A-Z][0-9]{4}\.png or maybe even
[A-
Hi,
I am trying to get ifspamh working within my .qmail- file but there is
obviously an error either with the vars set up within the ifspamh file or
somewhere else as the emails are just looping until I change the
.qmail- file back.
I want to maybe try and run the ifspamh command from the line t
53 matches
Mail list logo
