Help with tagging hotmail spam

[Alex <my...@gmail.com>]

Hi all,

I have a fedora15 box with v3.3.2 and I have some hotmail spam that I
can't figure out how to catch:

http://pastebin.com/kkUUvYQp

It's hitting BAYES_00 and no blacklists or other significant spam
rules and not sure how to tag it. The user has reported receiving this
spam several times before, each with a different URL in the body but
otherwise the same.

It's still not listed in a URIBL.

Any ideas greatly appreciated.
Thanks,
Alex

Re: Help with tagging hotmail spam

[Ned Slider <ne...@unixmail.co.uk>]

On 04/10/11 05:50, Alex wrote:
> Hi,
>
>>> I have a fedora15 box with v3.3.2 and I have some hotmail spam that I
>>> can't figure out how to catch:
>>>
>>> http://pastebin.com/kkUUvYQp
>>>
>>> It's hitting BAYES_00 and no blacklists or other significant spam
>>> rules and not sure how to tag it. The user has reported receiving this
>>> spam several times before, each with a different URL in the body but
>>> otherwise the same.
>>>
>>> It's still not listed in a URIBL.
>>>
>> X-Originating-IP hits Spamhaus XBL list. I would deep parse headers against
>> SBL-XBL. This does have the potential for FPs on legitimate mail sent from
>> infected computers also spewing botnet spam so take that into account in
>> your scoring.
>
> Okay, I see that it is (now) listed in the XBL, but I have zen being
> checked at the smtp level with postfix and it didn't catch it. I guess
> it's possible I received it before it was listed, but I also have zen
> in SA, and although it appears to hit on zen, it isn't reflected in
> the score.
>
> This makes me think there's a different problem I'm having. This means
> it hit zen, correct?
>
> Oct  4 00:30:21.417 [12281] dbg: dns: hit
> <dns:5.15.102.50.zen.spamhaus.org>  127.0.0.4
>
> I've uploaded a new pastebin with full debugging, and hoped someone
> could help me to investigate.
>

I don't think you quite understand. By default, SA queries zen (which is 
a combination of pbl, sbl and xbl) for all IP addresses in the Received 
headers but only the last external IP address, which in this case was 
the Hotmail server delivering to you - [65.55.90.240], is scored for 
hits against the pbl and xbl. So in this case the DNS lookup was done 
but the result wasn't used.

It's highly unlikely that a Hotmail server will ever be (intentionally) 
listed in Spamhaus.

What I'm talking about above is setting up some new rules to score IP 
addresses further down the delivery chain, including in this case the 
originating IP. This is sometimes known as deep parsing.

However, it is NOT safe to deep parse received headers against 
zen.spamhaus as the zen list includes the pbl and this will generate a 
huge number of false positives. However, it is fairly safe to deep parse 
against the remaining sbl and xbl lists (SA actually already does this 
for the sbl).

Here is the rule I use to query all IPs against the sbl and xbl:

# SBL-XBL is the Spamhaus Block List: http://www.spamhaus.org/
# SBL returns 127.0.0.2, XBL returns 127.0.0.4-8
header   RCVD_IN_SBLXBL		eval:check_rbl_sub('zen', '127.0.0.[245678]')
describe RCVD_IN_SBLXBL		Received via a relay in Spamhaus SBL-XBL
tflags   RCVD_IN_SBLXBL		net

Then score it as you see fit:

score	RCVD_IN_SBLXBL	3

As I said above, this has the potential to cause some false positive 
hits against legitimate mail sent from infected spambot hosts, but 
generally if mail originated from a spammy host I'd rather know about it.

> I've got the score to increase a bit by training it in bayes, but I'm
> not even sure that's the right thing to do. How do this affect
> legitimate mail received from hotmail?
>

Bayes is extremely clever and when properly trained with sufficient 
examples so I wouldn't worry about it - just make sure you feed examples 
of both ham and spam from hotmail.

Re: Help with tagging hotmail spam

[Alex <my...@gmail.com>]

Hi,

>> I have a fedora15 box with v3.3.2 and I have some hotmail spam that I
>> can't figure out how to catch:
>>
>> http://pastebin.com/kkUUvYQp
>>
>> It's hitting BAYES_00 and no blacklists or other significant spam
>> rules and not sure how to tag it. The user has reported receiving this
>> spam several times before, each with a different URL in the body but
>> otherwise the same.
>>
>> It's still not listed in a URIBL.
>>
> X-Originating-IP hits Spamhaus XBL list. I would deep parse headers against
> SBL-XBL. This does have the potential for FPs on legitimate mail sent from
> infected computers also spewing botnet spam so take that into account in
> your scoring.

Okay, I see that it is (now) listed in the XBL, but I have zen being
checked at the smtp level with postfix and it didn't catch it. I guess
it's possible I received it before it was listed, but I also have zen
in SA, and although it appears to hit on zen, it isn't reflected in
the score.

This makes me think there's a different problem I'm having. This means
it hit zen, correct?

Oct  4 00:30:21.417 [12281] dbg: dns: hit
<dns:5.15.102.50.zen.spamhaus.org> 127.0.0.4

I've uploaded a new pastebin with full debugging, and hoped someone
could help me to investigate.

I've got the score to increase a bit by training it in bayes, but I'm
not even sure that's the right thing to do. How do this affect
legitimate mail received from hotmail?

Shouldn't mail from hotmail have a DKIM header, or maybe even SPF?

I also just realized dcc isn't configured on this box. Would that have
made a difference here?

# Full debugging
http://pastebin.com/raw.php?i=TGgRmJeW

# Original
http://pastebin.com/kkUUvYQp

Thanks again,
Alex

Re: Help with tagging hotmail spam

[Ned Slider <ne...@unixmail.co.uk>]

On 03/10/11 01:31, Alex wrote:
> Hi all,
>
> I have a fedora15 box with v3.3.2 and I have some hotmail spam that I
> can't figure out how to catch:
>
> http://pastebin.com/kkUUvYQp
>
> It's hitting BAYES_00 and no blacklists or other significant spam
> rules and not sure how to tag it. The user has reported receiving this
> spam several times before, each with a different URL in the body but
> otherwise the same.
>
> It's still not listed in a URIBL.
>
> Any ideas greatly appreciated.
> Thanks,
> Alex
>


X-Originating-IP hits Spamhaus XBL list. I would deep parse headers 
against SBL-XBL. This does have the potential for FPs on legitimate mail 
sent from infected computers also spewing botnet spam so take that into 
account in your scoring.

As always, manually train Bayes with such examples.

Re: Help with tagging hotmail spam

[Martin Gregorie <ma...@gregorie.org>]

On Sun, 2011-10-02 at 20:31 -0400, Alex wrote:
> I have some hotmail spam that I can't figure out how to catch:
> 
> http://pastebin.com/kkUUvYQp
> 
> It's hitting BAYES_00 and no blacklists or other significant spam
> rules and not sure how to tag it. The user has reported receiving this
> spam several times before, each with a different URL in the body but
> otherwise the same.
> 
> It's still not listed in a URIBL.
> 
... and not likely to be either, since AFAICT all the domains in
sender-related headers are legit.

However, if all mail sent from hotmail has an X-Originating-Email:
header[1] you may get somewhere with a rule that requires all mail with
'hotmail.com' in this header to have the same in the 'From:' header,
i.e. the From: address must not be forged.

HTH

Martin

[1] It may or may not have this as standard. I don't get much mail or
spam from there and so haven't looked.

Re: Help with tagging hotmail spam

[Jason Haar <Ja...@trimble.com>]

I followed the link and ended up downloading a Windows worm to my Linux
laptop (Worm:Win32/Cridex.B if you care)

So this isn't spam - it's a malware-run. Totally different rules apply
to malware than spam - this sort of thing can only be fought by SA with
RBL/SURBLs

So the best response here would be to get the links into SURBLs asap,
and force users through AV proxies to stop the malware from downloading
(hmmm, our AV didn't stop this - owch!)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1