You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2010/09/24 00:55:17 UTC
Phish triggered short circuit 'ham'
http://pastebin.com/ypiHcyvK
The above phish for my ISP came in this morning, it triggered the short
circuit 'ham' rule. Is it because I have this in my local.cf and the
message has a dkim signature?
def_whitelist_from_dkim *@embarqmail.com
DKIM-Signature: v=1; a=rsa-sha1; d=embarqmail.com; s=s012408;
c=relaxed/simple; q=dns/txt; i=@embarqmail.com; t=1285235699;
h=From:Subject:Date:To:MIME-Version:Content-Type;
bh=9FOJPKqN2Ht/0QapcfDg7uQayg4=;
b=WMoex2VshAez5cqfiXbdykBskGnhCxMtG4ojE3+VaHxS2tB466/bZ2YjLuY3afkV
gSsc8wS1MU8RdOVs2AcIrWmIz/h8RQHuuN1hl2tPSHiN9vCBRbx5qEKa3qpTlnAy;
Do I have def_whitelist_from_dkim configured incorrectly?
Chris
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Phish triggered short circuit 'ham'
Posted by Chris <cp...@embarqmail.com>.
On Sun, 2010-09-26 at 19:26 +0200, Benny Pedersen wrote:
> On søn 26 sep 2010 15:27:47 CEST, Chris wrote
>
> > On Sat, 2010-09-25 at 04:47 +0200, Benny Pedersen wrote:
> >> On lør 25 sep 2010 02:53:30 CEST, Chris wrote
> >> > meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> >> > USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
> >> > USER_IN_DEF_SPF_WL||USER_IN_WHITELIST)
> >>
> >> there is still user in def :=)
> >
> > Benny, I'm still confused, sometimes that isn't hard to do :) anyway, I
> > now have this:
> >
> > meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> > USER_IN_SPF_WHITELIST||USER_IN_WHITELIST)
> >
> > or should the last entry also be removed?
>
> only if you use whitelist_from foo@*
>
> >>
> >> user_in_whitelist includes whitelist_from with can be forged, my fav
> >> to be removed if i just can convence more devs :)
> >>
> >> if you remove all user in def then it begins to work, and i can see
> >> you have redudendance with domainkey and dkim, if you as i see use
> >> dkim then domainkey is not needed anymore
> >>
> >> > priority SC_NET_HAM -500
> >> > shortcircuit SC_NET_HAM ham
> >>
> >> change ham here to on
> >
> > priority SC_NET_HAM -500
>
> change to -950 so blacklist is tested before the whitelist
>
> > shortcircuit SC_NET_HAM ham
>
> shortcircuit SC_NET_HAM on
>
> perldoc Mail::SpamAssassin::Plugin::Shortcircuit
>
> > # score SC_NET_HAM -20
> > score SC_NET_HAM 0
> >
> > is this correct or still borked?
>
> yes score 0 disables this rule
>
> try the fp mail now with current config
>
> spamassassin -t fpmsg
>
> better then the problem you see first in the report ?, i hope
>
At least it's picked up as spam this time Benny
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[201.216.4.186 listed in zen.spamhaus.org]
1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[201.216.4.186 listed in
bb.barracudacentral.org]
-7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM
white-list
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
1.0 MISSING_HEADERS Missing To: header
0.0 HTML_MESSAGE BODY: HTML included in message
1.7 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of
words
1.0 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
0.1 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
0.1 FROM_MISSP_NO_TO From misspaced, To missing
1.6 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
0.8 RDNS_NONE Delivered to internal network by a host with
no rDNS
0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
0.0 HELO_NO_DOMAIN Relay reports its domain incorrectly
1.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
2.5 DOS_OE_TO_MX Delivered direct to MX with OE headers
1.0 SAGREY Adds 1.0 to spam from first-time senders
It still hit on this def_whitelist_from_dkim *@embarqmail.com but that
can't be helped can it since the message had a dkim signature.
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Phish triggered short circuit 'ham'
Posted by Benny Pedersen <me...@junc.org>.
On søn 26 sep 2010 15:27:47 CEST, Chris wrote
> On Sat, 2010-09-25 at 04:47 +0200, Benny Pedersen wrote:
>> On lør 25 sep 2010 02:53:30 CEST, Chris wrote
>> > meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
>> > USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
>> > USER_IN_DEF_SPF_WL||USER_IN_WHITELIST)
>>
>> there is still user in def :=)
>
> Benny, I'm still confused, sometimes that isn't hard to do :) anyway, I
> now have this:
>
> meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> USER_IN_SPF_WHITELIST||USER_IN_WHITELIST)
>
> or should the last entry also be removed?
only if you use whitelist_from foo@*
>>
>> user_in_whitelist includes whitelist_from with can be forged, my fav
>> to be removed if i just can convence more devs :)
>>
>> if you remove all user in def then it begins to work, and i can see
>> you have redudendance with domainkey and dkim, if you as i see use
>> dkim then domainkey is not needed anymore
>>
>> > priority SC_NET_HAM -500
>> > shortcircuit SC_NET_HAM ham
>>
>> change ham here to on
>
> priority SC_NET_HAM -500
change to -950 so blacklist is tested before the whitelist
> shortcircuit SC_NET_HAM ham
shortcircuit SC_NET_HAM on
perldoc Mail::SpamAssassin::Plugin::Shortcircuit
> # score SC_NET_HAM -20
> score SC_NET_HAM 0
>
> is this correct or still borked?
yes score 0 disables this rule
try the fp mail now with current config
spamassassin -t fpmsg
better then the problem you see first in the report ?, i hope
>> and let it fire when the meta only content of user in whitelist and
>> not any def rules for whitelist
just a last note so all on sa maillist will not flame me to hell, what
counts is what you want, and remember all problems start with that
laeked password :/
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Phish triggered short circuit 'ham'
Posted by Chris <cp...@embarqmail.com>.
On Sat, 2010-09-25 at 04:47 +0200, Benny Pedersen wrote:
> On lør 25 sep 2010 02:53:30 CEST, Chris wrote
> > meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> > USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
> > USER_IN_DEF_SPF_WL||USER_IN_WHITELIST)
>
> there is still user in def :=)
Benny, I'm still confused, sometimes that isn't hard to do :) anyway, I
now have this:
meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
USER_IN_SPF_WHITELIST||USER_IN_WHITELIST)
or should the last entry also be removed?
>
> user_in_whitelist includes whitelist_from with can be forged, my fav
> to be removed if i just can convence more devs :)
>
> if you remove all user in def then it begins to work, and i can see
> you have redudendance with domainkey and dkim, if you as i see use
> dkim then domainkey is not needed anymore
>
> > priority SC_NET_HAM -500
> > shortcircuit SC_NET_HAM ham
>
> change ham here to on
priority SC_NET_HAM -500
shortcircuit SC_NET_HAM ham
# score SC_NET_HAM -20
score SC_NET_HAM 0
is this correct or still borked?
>
> and let it fire when the meta only content of user in whitelist and
> not any def rules for whitelist
>
Thanks
Chris
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Phish triggered short circuit 'ham'
Posted by Benny Pedersen <me...@junc.org>.
On lør 25 sep 2010 06:00:13 CEST, Karsten Bräckelmann wrote
>> user_in_whitelist includes whitelist_from with can be forged, my fav
>> to be removed if i just can convence more devs :)
> Bug number? Sorry, getting late here, too lazy to search whether you
> actually filed it. ;)
okay i will create a ticket, as i am the only one that dont use
whitelist_from *@hotmail.com
spammers using it and get caught on spf
createing a ticket gave me this error:
undef error - Can't locate Class/Singleton.pm in @INC (@INC contains:
. lib /x1/issues/htdocs/SpamAssassin
/x1/issues/htdocs/SpamAssassin/lib/sun4-solaris-thread-multi-64
/x1/issues/htdocs/SpamAssassin/lib
/opt/perl5/lib/5.10.1/sun4-solaris-thread-multi-64
/opt/perl5/lib/5.10.1
/opt/perl5/lib/site_perl/5.10.1/sun4-solaris-thread-multi-64
/opt/perl5/lib/site_perl/5.10.1
/usr/local/apache2-install/issues.apache.org-bugzilla/current) at
/opt/perl5/lib/site_perl/5.10.1/DateTime/TimeZone/Europe/Copenhagen.pm
line 14. BEGIN failed--compilation aborted at
/opt/perl5/lib/site_perl/5.10.1/DateTime/TimeZone/Europe/Copenhagen.pm
line 14. Compilation failed in require at (eval 5248) line 3
ticket summary: perldoc Mail::SpamAsssassin::Conf whitelist_from
should not be an option
ticket text:
there is to much errors that goes back to this "option" and it serves
no spam test at all, so imho it could be removed without any problem
to still detect spam
maybe it could just be recoded to give another score for whitelist ?
but as it is now it gives -100 when fired on a maybe 100% forged mail :(
silly, RFC :)there is to much errors that goes back to this "option"
and it serves no spam test at all, so imho it could be removed without
any problem to still detect spam
maybe it could just be recoded to give another score for whitelist ?
but as it is now it gives -100 when fired on a maybe 100% forged mail :(
silly, RFC :)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Phish triggered short circuit 'ham'
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2010-09-25 at 04:47 +0200, Benny Pedersen wrote:
> > meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> > USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
> > USER_IN_DEF_SPF_WL||USER_IN_WHITELIST)
>
> there is still user in def :=)
>
> user_in_whitelist includes whitelist_from with can be forged, my fav
> to be removed if i just can convence more devs :)
Bug number? Sorry, getting late here, too lazy to search whether you
actually filed it. ;)
guenther -- this nickname sig only exists to confuse Michelle
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phish triggered short circuit 'ham'
Posted by RW <rw...@googlemail.com>.
On Sat, 25 Sep 2010 04:47:31 +0200
Benny Pedersen <me...@junc.org> wrote:
> On lør 25 sep 2010 02:53:30 CEST, Chris wrote
> > meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> > USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
> > USER_IN_DEF_SPF_WL||USER_IN_WHITELIST)
>
> there is still user in def :=)
>
> user_in_whitelist includes whitelist_from with can be forged, my fav
> to be removed if i just can convence more devs :)
I don't see the point. If someone has chosen to use whitelist_from,
that's their choice - probably based on their experience that it
doesn't get spoofed. Bypassing short-circuiting just wastes cpu-cycles
in the vain hope of a spam picking-up the +105 points needed to
balance-out the -100.
Re: Phish triggered short circuit 'ham'
Posted by Benny Pedersen <me...@junc.org>.
On lør 25 sep 2010 02:53:30 CEST, Chris wrote
> meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
> USER_IN_DEF_SPF_WL||USER_IN_WHITELIST)
there is still user in def :=)
user_in_whitelist includes whitelist_from with can be forged, my fav
to be removed if i just can convence more devs :)
if you remove all user in def then it begins to work, and i can see
you have redudendance with domainkey and dkim, if you as i see use
dkim then domainkey is not needed anymore
> priority SC_NET_HAM -500
> shortcircuit SC_NET_HAM ham
change ham here to on
and let it fire when the meta only content of user in whitelist and
not any def rules for whitelist
> # score SC_NET_HAM -20
> score SC_NET_HAM 0
>
> I only have these two lines now:
>
> def_whitelist_from_dkim *@embarqmail.com
> def_whitelist_from_spf *@embarqmail.com
>
> Or is this not what you meant?
all this is optional to the problem you initial had
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Phish triggered short circuit 'ham'
Posted by Chris <cp...@embarqmail.com>.
On Sat, 2010-09-25 at 02:04 +0200, Benny Pedersen wrote:
> On lør 25 sep 2010 00:31:18 CEST, Chris wrote
> > # slower, network-based whitelisting
> > meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> > USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
> > USER_IN_DEF_SPF_WL||USER_IN_WHITELIST||USER_IN_DEF_WHITELIST)
>
> change this meta to NOT use def_ whitelist
>
> > priority SC_NET_HAM -500
> > shortcircuit SC_NET_HAM ham
>
> whitelist gives on its own -100, now you add -20 more ?
>
> > score SC_NET_HAM -20
>
> here
>
> > Then I have this:
> >
> > whitelist_from_SPF *@embarqmail.com
> > def_whitelist_from_dkim *@embarqmail.com
> > def_whitelist_from_spf *@embarqmail.com
>
> why is spf more trusted then dkim here ?
>
> you did see fp, change all above to def_whitelist_*
>
> and change shortcicuit to only match whitelist_* not def_whitelist
>
> or solve it with remove whitelist for this fp domain :)
>
> > Here's what rules hit in a short circuit ham:
> >
> > X-spam-status: No, score=-124.2 required=5.0 tests=RCVD_IN_PBL=3.335,
> > RCVD_IN_SORBS_DUL=0.001,SC_NET_HAM=-20,SHORTCIRCUIT=-100,
> > USER_IN_DEF_DKIM_WL=-7.5 RCVD_IN_PBL,RCVD_IN_SORBS_DUL,SC_NET_HAM,
> > SHORTCIRCUIT,USER_IN_DEF_DKIM_WL shortcircuit=ham
>
Does this look right Benny or do I still have it screwed up:
meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
USER_IN_DEF_SPF_WL||USER_IN_WHITELIST)
priority SC_NET_HAM -500
shortcircuit SC_NET_HAM ham
# score SC_NET_HAM -20
score SC_NET_HAM 0
I only have these two lines now:
def_whitelist_from_dkim *@embarqmail.com
def_whitelist_from_spf *@embarqmail.com
Or is this not what you meant?
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Phish triggered short circuit 'ham'
Posted by Benny Pedersen <me...@junc.org>.
On lør 25 sep 2010 00:31:18 CEST, Chris wrote
> # slower, network-based whitelisting
> meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
> USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
> USER_IN_DEF_SPF_WL||USER_IN_WHITELIST||USER_IN_DEF_WHITELIST)
change this meta to NOT use def_ whitelist
> priority SC_NET_HAM -500
> shortcircuit SC_NET_HAM ham
whitelist gives on its own -100, now you add -20 more ?
> score SC_NET_HAM -20
here
> Then I have this:
>
> whitelist_from_SPF *@embarqmail.com
> def_whitelist_from_dkim *@embarqmail.com
> def_whitelist_from_spf *@embarqmail.com
why is spf more trusted then dkim here ?
you did see fp, change all above to def_whitelist_*
and change shortcicuit to only match whitelist_* not def_whitelist
or solve it with remove whitelist for this fp domain :)
> Here's what rules hit in a short circuit ham:
>
> X-spam-status: No, score=-124.2 required=5.0 tests=RCVD_IN_PBL=3.335,
> RCVD_IN_SORBS_DUL=0.001,SC_NET_HAM=-20,SHORTCIRCUIT=-100,
> USER_IN_DEF_DKIM_WL=-7.5 RCVD_IN_PBL,RCVD_IN_SORBS_DUL,SC_NET_HAM,
> SHORTCIRCUIT,USER_IN_DEF_DKIM_WL shortcircuit=ham
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Phish triggered short circuit 'ham'
Posted by RW <rw...@googlemail.com>.
On Sat, 25 Sep 2010 05:42:19 +0200
Karsten Bräckelmann <gu...@rudersport.de> wrote:
> The problem is, that your ISP accepts plain text authentication over
> plain text, un-encrypted channels. One of them must be encrypted, at
> the very least if you gonna sign it. Otherwise it's too easy to
> eavesdrop and get the credentials.
>
> Well, unless you trick your victim to otherwise tell you, or can
> guess a weak password. Encryption doesn't help in that case. A rather
> common source for 419 scammers and some general spam. I've seen spam
> sent by cracked accounts, personally [1]. It does happen. And it
> seems to be the source of your sample.
What's odd is that it's authenticated to his own account.
Re: Phish triggered short circuit 'ham'
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2010-09-24 at 22:16 -0500, Chris wrote:
> On Sat, 2010-09-25 at 03:31 +0200, Karsten Bräckelmann wrote:
> > Begs the question why the phish that started this thread has been DKIM
> > signed by your ISP, too. Seriously.
> >
> > Hmm, from your original pastebin:
> >
> > Authentication-Results: smtp03.embarq.synacor.com smtp.user=thewhedbees;
> > auth=pass (LOGIN)
> > Received: from [201.216.4.186] ([201.216.4.186:4248] helo=User) by
> > mailrelay.embarq.synacor.com (envelope-from <al...@embarqmail.com>)
> > (ecelerity 2.2.2.40 r(29895/29896)) with ESMTPA id DB/9E-17249-7F22B9C4;
> > Thu, 23 Sep 2010 05:54:58 -0400
> >
> > So, this ALSO was an authenticated submission? And that's why your ISP
> > signed it. Which would explain why it got whitelisted, no?
> >
> > Yup, *that* is how you do targeted phishing! Don't send from an outside
> > machine, but crack an account or otherwise send from internal, trusted
> > sources. It will make your phish look much more legit.
>
> Question I have, and I'll have to ask in the embarq forum at DSLReports
> (though I'll probably not get an answer, or the one I want) is how/why
> did my ISP dkim sign a message with a sender IP of 201.216.4.186 which
> is in Bogota, Columbia.
Because it was authenticated.
If you're on holidays (or on a business trip), you want your ISP to
accept your outgoing mail, no? That's what the AUTH is for. No matter
where you are, no matter what region your IP is allocated.
The real question is, why they sign messages submitted over unencrypted
channels, using a plain text password.
The problem is, that your ISP accepts plain text authentication over
plain text, un-encrypted channels. One of them must be encrypted, at the
very least if you gonna sign it. Otherwise it's too easy to eavesdrop
and get the credentials.
Well, unless you trick your victim to otherwise tell you, or can guess a
weak password. Encryption doesn't help in that case. A rather common
source for 419 scammers and some general spam. I've seen spam sent by
cracked accounts, personally [1]. It does happen. And it seems to be the
source of your sample.
Anyway, your ISP should enforce either a secure connection, or a secure
method to provide the password.
[1] Accounts I know the owner of. The first reaction to a phone call in
the middle of the night, to please change the f***ing password
because their account is being abused can be summarized by "What!?".
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phish triggered short circuit 'ham'
Posted by Chris <cp...@embarqmail.com>.
On Sat, 2010-09-25 at 03:31 +0200, Karsten Bräckelmann wrote:
> On Fri, 2010-09-24 at 19:40 -0500, Chris wrote:
> > On Sat, 2010-09-25 at 01:07 +0200, Karsten Bräckelmann wrote:
> > > Ham!? PBL, SORBS DUL. Are you trying to use whitelisting to protect
> > > outgoing messages? Shouldn't you be using authenticated SMTP instead?
> >
> > No Karsten, this is incoming mail to my machine. I don't run a server,
> > this is straight from my ISP, picked up with fetchmail and processed
> > through procmail.
>
> Yeah, I was wondering about that like shorty after I sent the message.
> The "ham" got me confused, thinking it really was ham.
>
> > > Oh, and... Do you DKIM sign mail before scanning it with SA?
> >
> > No, as you can see here, my ISP adds the DKIM signature.
> >
> > http://pastebin.com/LqVtvjgM
>
> OK, wait. That sample is really an example showing the DKIM headers,
> sent by *you*. Right? It's authenticated.
>
> So, yeah, DKIM signing that one looks right.
>
> Begs the question why the phish that started this thread has been DKIM
> signed by your ISP, too. Seriously.
>
> Hmm, from your original pastebin:
>
> Authentication-Results: smtp03.embarq.synacor.com smtp.user=thewhedbees;
> auth=pass (LOGIN)
> Received: from [201.216.4.186] ([201.216.4.186:4248] helo=User) by
> mailrelay.embarq.synacor.com (envelope-from <al...@embarqmail.com>)
> (ecelerity 2.2.2.40 r(29895/29896)) with ESMTPA id DB/9E-17249-7F22B9C4;
> Thu, 23 Sep 2010 05:54:58 -0400
>
> So, this ALSO was an authenticated submission? And that's why your ISP
> signed it. Which would explain why it got whitelisted, no?
>
> Yup, *that* is how you do targeted phishing! Don't send from an outside
> machine, but crack an account or otherwise send from internal, trusted
> sources. It will make your phish look much more legit.
>
>
Question I have, and I'll have to ask in the embarq forum at DSLReports
(though I'll probably not get an answer, or the one I want) is how/why
did my ISP dkim sign a message with a sender IP of 201.216.4.186 which
is in Bogota, Columbia.
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Phish triggered short circuit 'ham'
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2010-09-25 at 04:55 +0200, Benny Pedersen wrote:
> On lør 25 sep 2010 03:46:09 CEST, Karsten Bräckelmann wrote
> > Anyone wonder how to steal those user passwords?
> > (BTW, you did not use TLS either. :/)
>
> dont blame chris on this one, he needs a isp that dont accept passwors
> in non tls tunnels, well spotted
Thanks. :) And No, I really do not blame Chris on this one. Accepting
non-encrypted auth schemes on non-encrypted channels is the ISPs fault,
clearly. It's a no-go.
He should, however, have used TLS *iff* the ISP supports it. But that's
beyond this whitelisting issue.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phish triggered short circuit 'ham'
Posted by Benny Pedersen <me...@junc.org>.
On lør 25 sep 2010 03:46:09 CEST, Karsten Bräckelmann wrote
> Anyone wonder how to steal those user passwords?
> (BTW, you did not use TLS either. :/)
dont blame chris on this one, he needs a isp that dont accept passwors
in non tls tunnels, well spotted
/me back on my problem with kernel that dont load ethernet drivers :)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Phish triggered short circuit 'ham'
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2010-09-25 at 03:31 +0200, Karsten Bräckelmann wrote:
> On Fri, 2010-09-24 at 19:40 -0500, Chris wrote:
> > http://pastebin.com/LqVtvjgM
>
> OK, wait. That sample is really an example showing the DKIM headers,
> sent by *you*. Right? It's authenticated.
> Hmm, from your original pastebin:
>
> Authentication-Results: smtp03.embarq.synacor.com smtp.user=thewhedbees;
> auth=pass (LOGIN)
> Received: from [201.216.4.186] ([201.216.4.186:4248] helo=User) by
> mailrelay.embarq.synacor.com (envelope-from <al...@embarqmail.com>)
> (ecelerity 2.2.2.40 r(29895/29896)) with ESMTPA id DB/9E-17249-7F22B9C4;
> Thu, 23 Sep 2010 05:54:58 -0400
ESMTPA. AUTH LOGIN.
That's an authenticated submission. Not encrypted using SSL/TLS, but
plain text. Using LOGIN authentication, which is base64 encoded.
Equivalent to plain text.
Anyone wonder how to steal those user passwords?
(BTW, you did not use TLS either. :/)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phish triggered short circuit 'ham'
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2010-09-24 at 19:40 -0500, Chris wrote:
> On Sat, 2010-09-25 at 01:07 +0200, Karsten Bräckelmann wrote:
> > Ham!? PBL, SORBS DUL. Are you trying to use whitelisting to protect
> > outgoing messages? Shouldn't you be using authenticated SMTP instead?
>
> No Karsten, this is incoming mail to my machine. I don't run a server,
> this is straight from my ISP, picked up with fetchmail and processed
> through procmail.
Yeah, I was wondering about that like shorty after I sent the message.
The "ham" got me confused, thinking it really was ham.
> > Oh, and... Do you DKIM sign mail before scanning it with SA?
>
> No, as you can see here, my ISP adds the DKIM signature.
>
> http://pastebin.com/LqVtvjgM
OK, wait. That sample is really an example showing the DKIM headers,
sent by *you*. Right? It's authenticated.
So, yeah, DKIM signing that one looks right.
Begs the question why the phish that started this thread has been DKIM
signed by your ISP, too. Seriously.
Hmm, from your original pastebin:
Authentication-Results: smtp03.embarq.synacor.com smtp.user=thewhedbees;
auth=pass (LOGIN)
Received: from [201.216.4.186] ([201.216.4.186:4248] helo=User) by
mailrelay.embarq.synacor.com (envelope-from <al...@embarqmail.com>)
(ecelerity 2.2.2.40 r(29895/29896)) with ESMTPA id DB/9E-17249-7F22B9C4;
Thu, 23 Sep 2010 05:54:58 -0400
So, this ALSO was an authenticated submission? And that's why your ISP
signed it. Which would explain why it got whitelisted, no?
Yup, *that* is how you do targeted phishing! Don't send from an outside
machine, but crack an account or otherwise send from internal, trusted
sources. It will make your phish look much more legit.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phish triggered short circuit 'ham'
Posted by Chris <cp...@embarqmail.com>.
On Sat, 2010-09-25 at 01:07 +0200, Karsten Bräckelmann wrote:
> On Fri, 2010-09-24 at 17:31 -0500, Chris wrote:
> > Here's what rules hit in a short circuit ham:
> >
> > X-spam-status: No, score=-124.2 required=5.0 tests=RCVD_IN_PBL=3.335,
> > RCVD_IN_SORBS_DUL=0.001,SC_NET_HAM=-20,SHORTCIRCUIT=-100,
> > USER_IN_DEF_DKIM_WL=-7.5 RCVD_IN_PBL,RCVD_IN_SORBS_DUL,SC_NET_HAM,
> > SHORTCIRCUIT,USER_IN_DEF_DKIM_WL shortcircuit=ham
>
> Ham!? PBL, SORBS DUL. Are you trying to use whitelisting to protect
> outgoing messages? Shouldn't you be using authenticated SMTP instead?
No Karsten, this is incoming mail to my machine. I don't run a server,
this is straight from my ISP, picked up with fetchmail and processed
through procmail.
> Oh, and... Do you DKIM sign mail before scanning it with SA?
No, as you can see here, my ISP adds the DKIM signature.
http://pastebin.com/LqVtvjgM
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Phish triggered short circuit 'ham'
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2010-09-24 at 17:31 -0500, Chris wrote:
> Here's what rules hit in a short circuit ham:
>
> X-spam-status: No, score=-124.2 required=5.0 tests=RCVD_IN_PBL=3.335,
> RCVD_IN_SORBS_DUL=0.001,SC_NET_HAM=-20,SHORTCIRCUIT=-100,
> USER_IN_DEF_DKIM_WL=-7.5 RCVD_IN_PBL,RCVD_IN_SORBS_DUL,SC_NET_HAM,
> SHORTCIRCUIT,USER_IN_DEF_DKIM_WL shortcircuit=ham
Ham!? PBL, SORBS DUL. Are you trying to use whitelisting to protect
outgoing messages? Shouldn't you be using authenticated SMTP instead?
Oh, and... Do you DKIM sign mail before scanning it with SA?
As a side-note, your X-Spam-Status header includes both, the TEST and
TESTSSCORES template tags. That's slightly redundant. ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phish triggered short circuit 'ham'
Posted by Chris <cp...@embarqmail.com>.
On Fri, 2010-09-24 at 13:13 +0200, Benny Pedersen wrote:
> On fre 24 sep 2010 04:33:33 CEST, Chris wrote
> > Or is it needed since I have the def_whitelist_from_spf line?
>
> you trigger on def_ in shourtcicuit thats the error you made if any,
> do change the shortcicuit rule to only doit it if its whilelist not
> just def_whitelist
>
> def_ rules is for grey domains that sometimes sends spam or 50 % 50 of
> spam and ham but newer only ham
>
> show me your shurtcicuit rule if still unsure what failed
>
# slower, network-based whitelisting
meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST||
USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL||
USER_IN_DEF_SPF_WL||USER_IN_WHITELIST||USER_IN_DEF_WHITELIST)
priority SC_NET_HAM -500
shortcircuit SC_NET_HAM ham
score SC_NET_HAM -20
Then I have this:
whitelist_from_SPF *@embarqmail.com
def_whitelist_from_dkim *@embarqmail.com
def_whitelist_from_spf *@embarqmail.com
Here's what rules hit in a short circuit ham:
X-spam-status: No, score=-124.2 required=5.0 tests=RCVD_IN_PBL=3.335,
RCVD_IN_SORBS_DUL=0.001,SC_NET_HAM=-20,SHORTCIRCUIT=-100,
USER_IN_DEF_DKIM_WL=-7.5 RCVD_IN_PBL,RCVD_IN_SORBS_DUL,SC_NET_HAM,
SHORTCIRCUIT,USER_IN_DEF_DKIM_WL shortcircuit=ham
Chris
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Phish triggered short circuit 'ham'
Posted by Benny Pedersen <me...@junc.org>.
On fre 24 sep 2010 04:33:33 CEST, Chris wrote
> Or is it needed since I have the def_whitelist_from_spf line?
you trigger on def_ in shourtcicuit thats the error you made if any,
do change the shortcicuit rule to only doit it if its whilelist not
just def_whitelist
def_ rules is for grey domains that sometimes sends spam or 50 % 50 of
spam and ham but newer only ham
show me your shurtcicuit rule if still unsure what failed
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Phish triggered short circuit 'ham'
Posted by Chris <cp...@embarqmail.com>.
On Fri, 2010-09-24 at 03:55 +0200, Benny Pedersen wrote:
> On fre 24 sep 2010 00:55:17 CEST, Chris wrote
>
> > Do I have def_whitelist_from_dkim configured incorrectly?
>
> no dkim is fine, just dont skip more spam tests based on def_*
>
These are the only two def_ lines I have:
def_whitelist_from_dkim *@embarqmail.com
def_whitelist_from_spf *@embarqmail.com
I do also have this:
whitelist_from_SPF *@embarqmail.com
Or is it needed since I have the def_whitelist_from_spf line?
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Phish triggered short circuit 'ham'
Posted by Benny Pedersen <me...@junc.org>.
On fre 24 sep 2010 00:55:17 CEST, Chris wrote
> Do I have def_whitelist_from_dkim configured incorrectly?
no dkim is fine, just dont skip more spam tests based on def_*
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Phish triggered short circuit 'ham' (Solved)
Posted by Chris <cp...@embarqmail.com>.
On Thu, 2010-09-23 at 17:55 -0500, Chris wrote:
> http://pastebin.com/ypiHcyvK
>
> The above phish for my ISP came in this morning, it triggered the short
> circuit 'ham' rule. Is it because I have this in my local.cf and the
> message has a dkim signature?
>
> def_whitelist_from_dkim *@embarqmail.com
>
> DKIM-Signature: v=1; a=rsa-sha1; d=embarqmail.com; s=s012408;
> c=relaxed/simple; q=dns/txt; i=@embarqmail.com; t=1285235699;
> h=From:Subject:Date:To:MIME-Version:Content-Type;
> bh=9FOJPKqN2Ht/0QapcfDg7uQayg4=;
> b=WMoex2VshAez5cqfiXbdykBskGnhCxMtG4ojE3+VaHxS2tB466/bZ2YjLuY3afkV
> gSsc8wS1MU8RdOVs2AcIrWmIz/h8RQHuuN1hl2tPSHiN9vCBRbx5qEKa3qpTlnAy;
>
> Do I have def_whitelist_from_dkim configured incorrectly?
>
> Chris
>
Got this from my ISP today:
The phishing email was from a compromised user account. Some foreign
entity had logged onto to our outbound email server with a customer's
stolen credentials and sent out phishing emails. This is quite a
desirable scenario for phishers as their email goes out through a valid
server when they have pilfered ISP user accounts. This causes a couple
of issues. The phishing emails are more likely to be accepted from a
trusted SMTP server. After such an attack is detected, the formerly
trusted SMTP server is soon subject to blocking based on the smear to
its reputation.
--
Chris
KeyID 0xE372A7DA98E6705C