You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Fortney, James T - CSCCS" <Fo...@CSCConsulting.com> on 2023/04/27 06:21:36 UTC

Suggested Approach

Here is a possible new challenge for those who like what I believe is 
a "different" challenge.  How would we have SA properly learn to 
identify such messages?

In an eight minute period this morning, someone dumped 9 messages 
into a Google mail server using one of my addresses as the FROM and 
TO address without any identification I can detect.

For those that would like to investigate, the messages are in the 
attached ZIP.  It looks like simple Spamming but I can not assure 
there are no other issues of concern.

Do not become confused by my delivery consolidation 
forwarding.  Please discard if no interest.

TNX  - JimF

-------------------------------------------------------------
James T. Fortney, Principal
CSC Consulting Services
E-mail:   Fortney@CSCConsulting.com
Snail:    P.O. Box 12589
               Prescott AZ  86304-2589
--------------------------------------------------------------

RE: Suggested Approach

Posted by "Fortney, James T - CSCCS" <Fo...@CSCConsulting.com>.

Marc (et all) -

Thank you for the reply.  I will first admit that my SA skills are 
very dated.  I have not actively managed the product in over ten years.

I distributed the 9 messages as a ZIP file because there were so many 
immediate instances.  I typically refrain from trying to redact an 
example because it does not give a full picture and I may redact what 
someone else considers an important part.  I'm sure you understand 
the other reasons for not sending "real" plain text examples.

I believe I understand your analysis of the IPs you referenced, but I 
don't find that Thiland IP or the Google IPs in my examples.  The IPs 
included in the headers are 10.221.57.15 (useless) and 209.85.208.169 
which Google says "Received-SPF: pass (domain of gmail.com designates 
209.85.208.169 as permitted sender)" apparently relating to 
"Authentication-Results: atlas110.aol.mail.ne1.yahoo.com;".  I am not 
capable of reading more out of the headers.

If you, or others, are interested in researching how this traffic can 
be identified as spam I am interested in learning about the process.

- JimF

  At 4/27/2023 12:21 AM, Marc wrote:
> >
> > For those that would like to investigate, the messages are in the
> > attached ZIP.  It looks like simple Spamming but I can not assure
> > there are no other issues of concern.
> >
>
>Put full (redacted) plaint text source message. I can't believe that 
>message headers do not contain ip addresses. What is this 202.29.234.42?
>
>Your spamassassin should not even be processing messages from 
>202.29.234.42. Your incoming mail server should not accept mail from 
>ip's that do no have a correct reverse[2]. Then it is on a dnsbl. So 
>it should be stopped at that stage.
>
>
>[1]
>[@scripts]# testrbl.sh 202.29.234.42
>202.29.234.42
>  zen.spamhaus.org 127.0.0.11 
> "https://www.spamhaus.org/query/ip/202.29.234.42"
>  bl.spamcop.net
>  dul.rbl-dns.com
>  rbl.xxxx.xxx
>  rblacc.xxxx.xxx
>  whitelist.xxxx.xxx
>
>
>[2]
>[@syslog1 scripts]# digall.sh 202.29.234.42
>..
>202.29.234.31
>202.29.234.32
>202.29.234.33
>202.29.234.34
>202.29.234.35
>202.29.234.36
>202.29.234.37
>202.29.234.38
>202.29.234.39
>202.29.234.40
>202.29.234.41
>202.29.234.42
>202.29.234.43
>202.29.234.44
>202.29.234.45
>202.29.234.46
>202.29.234.47
>202.29.234.48
>202.29.234.49
>202.29.234.50
>202.29.234.51
>202.29.234.52
>202.29.234.53
>...
>
>[@syslog1 scripts]# digall.sh 209.85.219.47
>209.85.219.0
>209.85.219.1    mail-qv1-f1.google.com.
>209.85.219.2    mail-qv1-f2.google.com.
>209.85.219.3    mail-qv1-f3.google.com.
>209.85.219.4    mail-qv1-f4.google.com.
>209.85.219.5    mail-qv1-f5.google.com.
>209.85.219.6    mail-qv1-f6.google.com.
>209.85.219.7    mail-qv1-f7.google.com.
>209.85.219.8    mail-qv1-f8.google.com.
>209.85.219.9    mail-qv1-f9.google.com.

RE: Suggested Approach

Posted by Marc <Ma...@f1-outsourcing.eu>.

> 
> For those that would like to investigate, the messages are in the
> attached ZIP.  It looks like simple Spamming but I can not assure
> there are no other issues of concern.
> 

Put full (redacted) plaint text source message. I can't believe that message headers do not contain ip addresses. What is this 202.29.234.42?

Your spamassassin should not even be processing messages from 202.29.234.42. Your incoming mail server should not accept mail from ip's that do no have a correct reverse[2]. Then it is on a dnsbl. So it should be stopped at that stage.


[1]
[@scripts]# testrbl.sh 202.29.234.42
202.29.234.42
 zen.spamhaus.org 127.0.0.11 "https://www.spamhaus.org/query/ip/202.29.234.42"
 bl.spamcop.net
 dul.rbl-dns.com
 rbl.xxxx.xxx
 rblacc.xxxx.xxx
 whitelist.xxxx.xxx


[2]
[@syslog1 scripts]# digall.sh 202.29.234.42
..
202.29.234.31
202.29.234.32
202.29.234.33
202.29.234.34
202.29.234.35
202.29.234.36
202.29.234.37
202.29.234.38
202.29.234.39
202.29.234.40
202.29.234.41
202.29.234.42
202.29.234.43
202.29.234.44
202.29.234.45
202.29.234.46
202.29.234.47
202.29.234.48
202.29.234.49
202.29.234.50
202.29.234.51
202.29.234.52
202.29.234.53
...

[@syslog1 scripts]# digall.sh 209.85.219.47
209.85.219.0
209.85.219.1    mail-qv1-f1.google.com.
209.85.219.2    mail-qv1-f2.google.com.
209.85.219.3    mail-qv1-f3.google.com.
209.85.219.4    mail-qv1-f4.google.com.
209.85.219.5    mail-qv1-f5.google.com.
209.85.219.6    mail-qv1-f6.google.com.
209.85.219.7    mail-qv1-f7.google.com.
209.85.219.8    mail-qv1-f8.google.com.
209.85.219.9    mail-qv1-f9.google.com.