You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Christian Brel <br...@copperproductions.co.uk> on 2010/01/29 17:19:09 UTC
Re: [SPAM:9.6] Smut spam
On Fri, 29 Jan 2010 11:09:49 -0500
Robert Fitzpatrick <li...@webtent.net> wrote:
> Could I get someone to run an example of smut spam I cannot seem to
> block in SA 3.2.5? This is a typical message that has been hammering
> one or two customers and despite learning many of these messages with
> bayes, still they continue...
>
> http://mx1.webtent.net/test.msg
>
> I am using Sanesecurity as well as the saupdates.
>
> --Robert
>
Do the links always point to: globalnamesgroup.com or do they vary?
Re: [SPAM:9.6] Re: Smut spam
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Sat, 30 Jan 2010 09:32:31 +0000
Ned Slider <ne...@unixmail.co.uk> wrote:
> Christian Brel wrote:
> >
> > header __HOTMAIL_SPX1 ALL =~ /Received\:.{1,30}hotmail\.com/i
> > body __HOTMAIL_SPX2 /http\:\/\/groups\.yahoo\.com/
> > meta HOTMAIL_SPAM_GY (__HOTMAIL_SPX1 && __HOTMAIL_SPX2)
> > score HOTMAIL_SPAM_GY 0.0
> >
>
> If I may...
>
> To match only Received headers:
>
> header __HOTMAIL_SPX1 Received =~ /.{1,30}hotmail\.com/i
>
> which incidentally will also match entries from
> this-is-not-hotmail.com
> - may or may not be what you intended.
Indeed. It's probably fair to say that anyone using
'this-is-not-hotmail' would not really fall into my 'must have mail
from' senders, but that's just a view.
>
> There is already a "from Hotmail" rule in 20_head_tests.cf for use in
> meta rules that may suffice?
>
> header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i
>
> Also, you can use a uri rule for URIs, for example:
>
> uri __HOTMAIL_SPX2 m{https?://groups\.yahoo\.com\b}
>
It was a 'for instance' not a solid rule Ned, but as you've gone to
so much trouble please feel free to finish the job and offer the whole
rule :-)
Re: Smut spam
Posted by John Wilcock <jo...@tradoc.fr>.
Le 30/01/2010 10:32, Ned Slider a écrit :
> There is already a "from Hotmail" rule in 20_head_tests.cf for use in
> meta rules that may suffice?
>
> header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i
Bear in mind, however, that not all hotmail users have hotmail.com
domains. There are plenty of hotmail.cctld domains, for a start.
John.
--
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
Re: Smut spam
Posted by Ned Slider <ne...@unixmail.co.uk>.
Christian Brel wrote:
>
> header __HOTMAIL_SPX1 ALL =~ /Received\:.{1,30}hotmail\.com/i
> body __HOTMAIL_SPX2 /http\:\/\/groups\.yahoo\.com/
> meta HOTMAIL_SPAM_GY (__HOTMAIL_SPX1 && __HOTMAIL_SPX2)
> score HOTMAIL_SPAM_GY 0.0
>
If I may...
To match only Received headers:
header __HOTMAIL_SPX1 Received =~ /.{1,30}hotmail\.com/i
which incidentally will also match entries from this-is-not-hotmail.com
- may or may not be what you intended.
There is already a "from Hotmail" rule in 20_head_tests.cf for use in
meta rules that may suffice?
header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i
Also, you can use a uri rule for URIs, for example:
uri __HOTMAIL_SPX2 m{https?://groups\.yahoo\.com\b}
Re: Smut spam
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Fri, 29 Jan 2010 14:34:46 -0500
Adam Katz <an...@khopis.com> wrote:
> Robert Fitzpatrick wrote:
> >>> http://mx1.webtent.net/test.msg
> > http://mx1.webtent.net/test2.msg
>
> The first one now also hits razor ... can't say one way or another
> about how it hit earlier, but I'd suggest double-checking to ensure
> you use the plugin as it's pretty useful across the board.
>
>
> I suppose this is more an sa-dev question, but perhaps it might be
> worthwhile to have a freemail_networks category (much like
> trusted_networks) that would allow limited parsing beyond the freemail
> providers' networks into the system that connected to it. This must
> not affect the last-external checks as it would then trigger all the
> dynamic rDNS detectors, and we'd also have to be wary about SPF etc,
> but it might be quite useful for DNSBL.
>
> I'm sure the freemail plugin already does much of this work.
I'm not sure that it does - looking at the comments at the top of
the .pm it says;
"# If From-address is freemail, and Reply-To or address found in mail
body is # a different freemail address, return success."
In the context we have here, and in general terms for the variety of
spam received via Hotmail - it's a vector, but not overly useful with
this specific type of 'hotspam'.
Looking back at my Hotmail spam it consists of a 50/50ish mix of 419
(where the freemail plugin could be useful) and links. Many are to
staging posts like groups.yahoo.com and can be trivially wiped out with
stuff like:
header __HOTMAIL_SPX1 ALL =~ /Received\:.{1,30}hotmail\.com/i
body __HOTMAIL_SPX2 /http\:\/\/groups\.yahoo\.com/
meta HOTMAIL_SPAM_GY (__HOTMAIL_SPX1 && __HOTMAIL_SPX2)
score HOTMAIL_SPAM_GY 0.0
But where random, changing domain names are used this tactic will never
work. You'll spend your life writing rules.
It's not conceivable to block HOTMAIL as we have a generation of money
spending customers who use it as their primary mail. It would result in
a serious loss of genuine mail. So the vectors that can be used are
very narrow.
This brings me back to the X-Originating-IP: [x.x.x.x] header. We can't
block this on a PBL, but we *can* on a REPUTATION based list like that
offered by Barracuda. In fact one of those is catching on the BBL:
[78.175.50.246 listed in b.barracudacentral.org] - but I can't say how
long it's been on there - I've only checked it this morning.
It would also be very useful to GEO check this IP as often it's from
somewhere like Turkey, Brazil, China et al. It seems logical to extend
the functionality of the Relay Countries plugin to look for this
header - or add an 'originates from' section to it. I'm no developer so
I can't say if this would be trivial - but I feel it would be a useful
thing to do.
Re: Smut spam
Posted by Adam Katz <an...@khopis.com>.
Robert Fitzpatrick wrote:
>>> http://mx1.webtent.net/test.msg
> http://mx1.webtent.net/test2.msg
The first one now also hits razor ... can't say one way or another
about how it hit earlier, but I'd suggest double-checking to ensure
you use the plugin as it's pretty useful across the board.
I suppose this is more an sa-dev question, but perhaps it might be
worthwhile to have a freemail_networks category (much like
trusted_networks) that would allow limited parsing beyond the freemail
providers' networks into the system that connected to it. This must
not affect the last-external checks as it would then trigger all the
dynamic rDNS detectors, and we'd also have to be wary about SPF etc,
but it might be quite useful for DNSBL.
I'm sure the freemail plugin already does much of this work.
Re: [SPAM:9.6] Smut spam
Posted by Ned Slider <ne...@unixmail.co.uk>.
Robert Fitzpatrick wrote:
> On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote:
>> On Fri, 29 Jan 2010 11:09:49 -0500
>> Robert Fitzpatrick <li...@webtent.net> wrote:
>>
>>> Could I get someone to run an example of smut spam I cannot seem to
>>> block in SA 3.2.5? This is a typical message that has been hammering
>>> one or two customers and despite learning many of these messages with
>>> bayes, still they continue...
>>>
>>> http://mx1.webtent.net/test.msg
>>>
>>> I am using Sanesecurity as well as the saupdates.
>>>
>>> --Robert
>>>
>> Do the links always point to: globalnamesgroup.com or do they vary?
>
> All different, even the content, here is another example...
>
> http://mx1.webtent.net/test2.msg
>
>
Nothing much hitting on either of those examples here either (the first
one now hits uri black but probably didn't at the time you received it).
Keep learning them through bayes is about all I can suggest.
Are these all from hotmail? The amount of spam emanating from hotmail is
getting ridiculous lately. If you're a small server you could possibly
penalize all mail from hotmail and then whitelist known good senders for
your clients but that's getting a bit extreme.
Re: [SPAM:9.6] Re: [SPAM:9.6] Smut spam
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Fri, 29 Jan 2010 11:28:31 -0500
Robert Fitzpatrick <li...@webtent.net> wrote:
> On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote:
> > On Fri, 29 Jan 2010 11:09:49 -0500
> > Robert Fitzpatrick <li...@webtent.net> wrote:
> >
> > > Could I get someone to run an example of smut spam I cannot seem
> > > to block in SA 3.2.5? This is a typical message that has been
> > > hammering one or two customers and despite learning many of these
> > > messages with bayes, still they continue...
> > >
> > > http://mx1.webtent.net/test.msg
> > >
> > > I am using Sanesecurity as well as the saupdates.
> > >
> > > --Robert
> > >
> >
> > Do the links always point to: globalnamesgroup.com or do they vary?
>
> All different, even the content, here is another example...
>
> http://mx1.webtent.net/test2.msg
>
About the best I can come up with:
In both cases the originating IP header leads to a bad/listed IP:
X-Originating-IP: [78.175.50.246]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RUNNING REPORT
TYPE: single IP 78.175.50.246
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
78.175.50.246 listed in b.barracudacentral.org.
78.175.50.246 listed in PBL (ISP)
X-Originating-IP: [109.75.193.116]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RUNNING REPORT
TYPE: single IP 109.75.193.116
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
109.75.193.116 listed in PBL (SPAMHAUS)
109.75.193.116 listed in dnsbl-2.uceprotect.net.
109.75.193.116 listed in dnsbl-3.uceprotect.net.
BUT!
AFAIK SA would not block on these and I guess that is because Hotmail
users tend to connect with a web browser from dynamic connections.
Therefore blocking them on an a dynamic space policy list (PBL) could
result in shed loads of FP's.
I'm not sure if the RelayCountry module would pick these up ???? One is
in Turkey, the other gives me an Unknown AS number or IP network error
(I have an old whois client).
This is good spam that defeats SpamAssassin pretty easily as the sender
(hotmail) is mostly globally trusted. I agree with the other poster that
the amount of Spam from Hotmail is a royal pain in the backside, but
this is a spam filter and there needs to be a way to block this kind of
stuff.
Perhaps there needs to be some meta rules such as;
'comes from hotmail, has a single link, originating IP is in a Country
that is often seen sending spam, lots of broken encoded characters
before the HTML section'. But I am to the world of writing rules what
Myra Hindley was to child care.
Re: [SPAM:9.6] Smut spam
Posted by Robert Fitzpatrick <li...@webtent.net>.
On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote:
> On Fri, 29 Jan 2010 11:09:49 -0500
> Robert Fitzpatrick <li...@webtent.net> wrote:
>
> > Could I get someone to run an example of smut spam I cannot seem to
> > block in SA 3.2.5? This is a typical message that has been hammering
> > one or two customers and despite learning many of these messages with
> > bayes, still they continue...
> >
> > http://mx1.webtent.net/test.msg
> >
> > I am using Sanesecurity as well as the saupdates.
> >
> > --Robert
> >
>
> Do the links always point to: globalnamesgroup.com or do they vary?
All different, even the content, here is another example...
http://mx1.webtent.net/test2.msg