You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Blason rock <bl...@gmail.com> on 2013/09/20 12:47:27 UTC

Receiving lot of spam with header phpmailer

Hi there,

How do I block spam mails with having below text common in all headers. I
suddely started receiving it and would like to block

X-mailer: phpmailer  (version 1.41)

Re: Receiving lot of spam with header phpmailer

Posted by Blason rock <bl...@gmail.com>.

Yes...with that header I hardly receiving any genuine mails
On 20 Sep 2013 16:28, "Antony Stone" <
Antony.Stone@spamassassin.open.source.it> wrote:

> On Friday 20 September 2013 at 12:47:27, Blason rock wrote:
>
> > Hi there,
> >
> > How do I block spam mails with having below text common in all headers. I
> > suddely started receiving it and would like to block
> >
> > X-mailer: phpmailer  (version 1.41)
>
> Have you first checked to see what proportion of non-spam emails you
> receive
> with the same header in?
>
>
> Antony.
>
> --
> It is also possible that putting the birds in a laboratory setting
> inadvertently renders them relatively incompetent.
>
>  - Daniel C Dennett
>
>                                                      Please reply to the
> list;
>                                                            please don't CC
> me.
>

Re: Receiving lot of spam with header phpmailer

Posted by Antony Stone <An...@spamassassin.open.source.it>.

On Friday 20 September 2013 at 12:47:27, Blason rock wrote:

> Hi there,
> 
> How do I block spam mails with having below text common in all headers. I
> suddely started receiving it and would like to block
> 
> X-mailer: phpmailer  (version 1.41)

Have you first checked to see what proportion of non-spam emails you receive 
with the same header in?


Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennett

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Receiving lot of spam with header phpmailer

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Mon, 2013-09-23 at 10:51 +0530, Blason rock wrote:
> So guys can you confirm if this is an correct rule?

It is technically incorrect (the pattern is not an RE but a string) and
logically incorrect (matching the pattern against all headers, instead
of testing for the existence of a header).

Moreover, you picked a really bad header to indicate spam -- X-BeenThere
is added to outgoing mail by Mailman (a mailing list server).

> for this kind of SPAM messages?

I didn't keep the previous messages of this thread, but IIRC you didn't
provide a sample, did you? Upload the full, raw message to a pastebin,
or please remind me of the link if you did already.

> X-Mailer: phpmailer [version 1.41]
> X-BeenThere: scoot@mailman.wikimedia.org
> 
> header XBEENTHERE ALL =~ X-BeenThere
> score XBEENTHERE 6

Hmm. Wikimedia does use Mailman, but the lists seem to be hosted at a
"lists" named hostname. And "scoot" doesn't appear to be a valid
wikimedia list.

That is not a mailing list you are subscribed to, and spam sent via the
list, right?

That said, does all of the spam you target at do have both these
headers? Do the values change? You might want to show us a list of these
headers observed.

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Receiving lot of spam with header phpmailer

Posted by Blason rock <bl...@gmail.com>.

So guys can you confirm if this is an correct rule?

for this kind of SPAM messages?

X-Mailer: phpmailer [version 1.41]
X-BeenThere: scoot@mailman.wikimedia.org


header XBEENTHERE ALL =~ X-BeenThere
score XBEENTHERE 6




On Sat, Sep 21, 2013 at 4:46 PM, RW <rw...@googlemail.com> wrote:

> On Fri, 20 Sep 2013 16:17:27 +0530
> Blason rock wrote:
>
> > Hi there,
> >
> > How do I block spam mails with having below text common in all
> > headers. I suddely started receiving it and would like to block
> >
> > X-mailer: phpmailer  (version 1.41)
>
>
> I've quite a lot of ham with similar headers , but it's always X-Mailer.
>

Re: Receiving lot of spam with header phpmailer

Posted by RW <rw...@googlemail.com>.

On Fri, 20 Sep 2013 16:17:27 +0530
Blason rock wrote:

> Hi there,
> 
> How do I block spam mails with having below text common in all
> headers. I suddely started receiving it and would like to block
> 
> X-mailer: phpmailer  (version 1.41)


I've quite a lot of ham with similar headers , but it's always X-Mailer.

Re: Receiving lot of spam with header phpmailer

Posted by Benny Pedersen <me...@junc.eu>.

Blason rock skrev den 2013-09-20 12:47:

> How do I block spam mails with having below text common in all
> headers. I suddely started receiving it and would like to block
>
> X-mailer: phpmailer  (version 1.41)

echo "X-mailer: phpmailer  (version 1.41)" | sigtool --hex-dump 
 >hexpart

save a foo.ndb file with

foo:0:*:hexpart

decode it with cat foo.ndb | sigtool --decode-sigs

works well on clamav

if you like to have the signature as a pua then change foo.ndb to 
foo.ndu

then it will need --detect-pua=yes in clamscan

if its ndb then it works without, the foo.ndb or foo.ndu must be in 
same dir as main.cvd