You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jean-Paul Natola <jn...@familycareintl.org> on 2009/06/02 15:10:24 UTC
word doc spam
Hi all,
Is there a rule to catch these messages with no body and a 550 bite word
attachment?
thx
The only rule its triggering is the
RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
Re: word doc spam
Posted by LuKreme <kr...@kreme.com>.
On 2-Jun-2009, at 07:10, Jean-Paul Natola wrote:
> Is there a rule to catch these messages with no body and a 550
> bite word
> attachment?
I reject .doc attachments since they can carry macro virus payloads.
--
We will fight for Bovine Freedom and hold our large heads high
We will run free with the Buffalo or die
Re: word doc spam
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2 Jun 2009, Yet Another Ninja wrote:
> On 6/2/2009 7:55 PM, John Hardin wrote:
>>
>> Oh, sorry, I got that backwards checking for _not_ PHP... Never mind
>> those last rules.
>>
>> The mailer is going to be easy to change (even randomly) in a spam tool.
>> I'd suggest that it's not valid to check that for this test,
>
> Could be but all the hits I saw with the .png and .rtf files had the PHP
> X-mailer in them.
Perhaps this, then?
header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w/i
header __XM_PHP X-Mailer =~ /^PHP\s?v?\/?\d\./
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
score MIME_NO_TEXT 1.00
describe MIME_NO_TEXT No text body parts
meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __XM_PHP)
score MIME_PHP_NO_TEXT 2.00
describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
endif
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
RE: word doc spam
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
> ftp://ftp.fcimail.org/IT/SA_Sample/message.txt
Yep, the rules below will hit on that message.
> -----Original Message-----
> From: John Hardin [mailto:jhardin@impsec.org]
> Sent: Tuesday, June 02, 2009 11:18 AM
> To: SpamAssassin Users List
> Subject: Re: word doc spam
>
> On Tue, 2 Jun 2009, Dave Walker wrote:
>
>> John Hardin wrote:
>>> On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
>>>
>>>> Is there a rule to catch these messages with no body and a 550 bite
>>>> word attachment?
>>>
>>> Can you post a sample somewhere for us?
>>
>> Hi,
>>
>> I assume he means the recent surge in "rtf" attachment spam. I've posted
>> two examples:
>> http://spam.daviey.com/rtfspam.txt
>> http://spam.daviey.com/rtfspam1.txt
>
> The recent no-text-parts rules should catch that. To recap:
>
> header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w/i
> ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
> mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
> meta MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
> score MIME_NO_TEXT 2.00
> describe MIME_NO_TEXT No text body parts
> endif
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
RE: word doc spam
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
ftp://ftp.fcimail.org/IT/SA_Sample/message.txt
-----Original Message-----
From: John Hardin [mailto:jhardin@impsec.org]
Sent: Tuesday, June 02, 2009 11:18 AM
To: SpamAssassin Users List
Subject: Re: word doc spam
On Tue, 2 Jun 2009, Dave Walker wrote:
> John Hardin wrote:
>> On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
>>
>>> Is there a rule to catch these messages with no body and a 550 bite
>>> word attachment?
>>
>> Can you post a sample somewhere for us?
>
> Hi,
>
> I assume he means the recent surge in "rtf" attachment spam. I've posted
> two examples:
> http://spam.daviey.com/rtfspam.txt
> http://spam.daviey.com/rtfspam1.txt
The recent no-text-parts rules should catch that. To recap:
header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
score MIME_NO_TEXT 2.00
describe MIME_NO_TEXT No text body parts
endif
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
Re: word doc spam
Posted by Charles Gregory <cg...@hwcn.org>.
On Tue, 2 Jun 2009, John Hardin wrote:
> Well, any tool that's composing MIME messages can choose to omit a text
> body part if no text is available... (snip)
> In practice, we're only seeing it in spams. There may be false positives in
> some unusual situations, but it's not likely with legitimate human-generated
> email. Score accordingly.
(nod) Thanks!
- Charles
Re: word doc spam
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2 Jun 2009, Charles Gregory wrote:
> Just to be sure that I'm thinking the right way about the 'no text body
> part' rule: If someone sends a 'normal' message, but elects to not type
> any text into the body, there *will* still be a mime 'text' section, and
> it will just be empty, right?
I think all MIME email clients do behave that way, yes.
> So the 'no text body' would mean that the message was
> created *only* by a spam client that fails to add it?
Well, any tool that's composing MIME messages can choose to omit a text
body part if no text is available - for example, a command-line tool that
forwarded webcam images or screen shots might reasonably omit a text body
part and create a message that would hit this rule.
In practice, we're only seeing it in spams. There may be false positives
in some unusual situations, but it's not likely with legitimate
human-generated email. Score accordingly.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
Re: word doc spam
Posted by Charles Gregory <cg...@hwcn.org>.
Just to be sure that I'm thinking the right way about the 'no text body
part' rule: If someone sends a 'normal' message, but elects to not type
any text into the body, there *will* still be a mime 'text' section, and
it will just be empty, right? So the 'no text body' would mean that the
message was created *only* by a spam client that fails to add it?
- C
Re: word doc spam
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2 Jun 2009, Dave Walker wrote:
> John Hardin wrote:
>> On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
>>
>>> Is there a rule to catch these messages with no body and a 550 bite
>>> word attachment?
>>
>> Can you post a sample somewhere for us?
>
> Hi,
>
> I assume he means the recent surge in "rtf" attachment spam. I've posted
> two examples:
> http://spam.daviey.com/rtfspam.txt
> http://spam.daviey.com/rtfspam1.txt
The recent no-text-parts rules should catch that. To recap:
header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
score MIME_NO_TEXT 2.00
describe MIME_NO_TEXT No text body parts
endif
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
Re: word doc spam
Posted by Matt Garretson <ma...@assembly.state.ny.us>.
If you look back a whopping 2 days in the list archive,
there are some rules that are very good at catching this
.rtf spam.
Re: word doc spam
Posted by Dave Walker <Da...@ubuntu.com>.
John Hardin wrote:
> On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
>
>> Is there a rule to catch these messages with no body and a 550 bite
>> word attachment?
>
> Can you post a sample somewhere for us?
>
Hi,
I assume he means the recent surge in "rtf" attachment spam. I've posted
two examples:
http://spam.daviey.com/rtfspam.txt
http://spam.daviey.com/rtfspam1.txt
Kind Regards,
Dave Walker
RE: word doc spam
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
> Correction they are rtf not doc
>
> ftp://ftp.fcimail.org/IT/SA_Sample/shambling.rtf
Sorry, I meant a sample of the raw message, so that we can inspect the
headers and such.
> -----Original Message-----
> From: John Hardin [mailto:jhardin@impsec.org]
> Sent: Tuesday, June 02, 2009 9:47 AM
> To: Jean-Paul Natola
> Cc: users@spamassassin.apache.org
> Subject: Re: word doc spam
>
> On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
>
>> Is there a rule to catch these messages with no body and a 550 bite word
>> attachment?
>
> Can you post a sample somewhere for us?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
RE: word doc spam
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
Correction they are rtf not doc
ftp://ftp.fcimail.org/IT/SA_Sample/shambling.rtf
-----Original Message-----
From: John Hardin [mailto:jhardin@impsec.org]
Sent: Tuesday, June 02, 2009 9:47 AM
To: Jean-Paul Natola
Cc: users@spamassassin.apache.org
Subject: Re: word doc spam
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
> Is there a rule to catch these messages with no body and a 550 bite word
> attachment?
Can you post a sample somewhere for us?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...to announce there must be no criticism of the President or to
stand by the President right or wrong is not only unpatriotic and
servile, but is morally treasonous to the American public.
-- Theodore Roosevelt, 1918
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
Re: word doc spam
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
> Is there a rule to catch these messages with no body and a 550 bite word
> attachment?
Can you post a sample somewhere for us?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...to announce there must be no criticism of the President or to
stand by the President right or wrong is not only unpatriotic and
servile, but is morally treasonous to the American public.
-- Theodore Roosevelt, 1918
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
Re: word doc spam
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Tue, 2009-06-02 at 09:10 -0400, Jean-Paul Natola wrote:
> Hi all,
>
> Is there a rule to catch these messages with no body and a 550 bite word
> attachment?
Yes, add the SaneSecurity clamav signatures.
codling.rtf: Sanesecurity.Spam.10307.UNOFFICIAL FOUND
Integration with spamassassin left as an exercise for the reader. I
personally use Amavisd-new with @virus_name_to_spam_score_maps
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Re: Controlling spamd logging from spamc
Posted by Martin Gregorie <ma...@gregorie.org>.
On Thu, 2009-06-04 at 18:32 -0400, Jeff Mincy wrote:
> From: Martin Gregorie <ma...@gregorie.org>
>
> Wouldn't it be easier to run another spamd on a different machine for
> rule development and testing? Or perhaps just running as a different
> 'test' user, and then ignore log messages for that user in the statistics.
>
I'm about to set that up today and get it integrated with cvs.
> > Would anybody else find this a useful feature too?
>
> I've sometimes wanted the other way - eg get more debugging output for
> a particular message.
>
I think these are two sides of the same coin: if spamc could pass
debugging control flags to spamd via a message wrapper then it would be
simple to add the ability to control logging as well.
Martin
Re: Controlling spamd logging from spamc
Posted by Jeff Mincy <je...@delphioutpost.com>.
From: Martin Gregorie <ma...@gregorie.org>
Date: Tue, 02 Jun 2009 16:54:11 +0100
How difficult would it be to let spamc control spamd's logging output on
a per-message basis?
My reason for asking is this: I maintain a body of spam that I use to
develop and regression test local rules and, during rule development,
use spamc to pass the test messages through my only copy of spamd. This
is useful because I can keep the test messages in a normal user on a
different host from the one running spamd and avoid local configuration
ambiguities. However, as part of my logwatch environment I run a perl
program to collect the day's spam stats. I find that the stats are
meaningless any day I develop and/or regression test rules because, of
course, spamd is logging these as well as actual mail. I should add
that, since my ISP introduced greylisting, the 'spam' logged during
regression testing is at least 12 times the volume of genuine spam
received that day, so the day's stats are meaningless and so are any
stats generated by scanning the whole of /var/log/maillog*
It would be useful for me to be able to disable spamd logging during
rule testing.
Wouldn't it be easier to run another spamd on a different machine for
rule development and testing? Or perhaps just running as a different
'test' user, and then ignore log messages for that user in the statistics.
Would anybody else find this a useful feature too?
I've sometimes wanted the other way - eg get more debugging output for
a particular message.
-jeff
Controlling spamd logging from spamc
Posted by Martin Gregorie <ma...@gregorie.org>.
How difficult would it be to let spamc control spamd's logging output on
a per-message basis?
My reason for asking is this: I maintain a body of spam that I use to
develop and regression test local rules and, during rule development,
use spamc to pass the test messages through my only copy of spamd. This
is useful because I can keep the test messages in a normal user on a
different host from the one running spamd and avoid local configuration
ambiguities. However, as part of my logwatch environment I run a perl
program to collect the day's spam stats. I find that the stats are
meaningless any day I develop and/or regression test rules because, of
course, spamd is logging these as well as actual mail. I should add
that, since my ISP introduced greylisting, the 'spam' logged during
regression testing is at least 12 times the volume of genuine spam
received that day, so the day's stats are meaningless and so are any
stats generated by scanning the whole of /var/log/maillog*
It would be useful for me to be able to disable spamd logging during
rule testing.
Would anybody else find this a useful feature too?
Martin
Re: word doc spam
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 02.06.09 09:10, Jean-Paul Natola wrote:
> Is there a rule to catch these messages with no body and a 550 bite word
> attachment?
> The only rule its triggering is the
> RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
I reject these at SMTP level...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete