You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mark London <mr...@psfc.mit.edu> on 2017/12/11 15:44:19 UTC
Flakey spam email. How to filter?
I'm getting a lot of flakey spam messages, that don't trigger any
significant spamassassin rules, even though it obviously looks really bogus.
Here's an example. Any suggestions?
https://pastebin.com/bZUt0ThS
These spams are being sent to my gmail account, and then forwarded to my
work address I tried stripping off all the forwarding headers, but it
doesn't trigger any RBLs
Thanks for any help.
- Mark
Re: Flakey spam email. How to filter?
Posted by David Jones <dj...@ena.com>.
On 12/11/2017 02:55 PM, Tobi wrote:
> @Dave
> you're sure that trusted_networks must be changed in case of fetching mails? I fetch mines from gmail too and sa always has the correct first non trusted relay. Without changing *_networks. With fetching you do not get an smtp received header so sa jumps to the next relay. And (at least from what I see in my gmail mails) the first smtp received header without a private ip address is the one that handsoff to gmail aka the one to feed to sa
>
> Chees
>
> tobi
>
I checked my Gmail account with a mail client and you are correct.
Google is not adding a Received header for their own mail server so that
"hop" doesn't have to be skipped over by SA. I guess I was thinking
about the forwarding in my mind that would add that "hop" in the
Received headers. Thanks for the clarification.
> ----- Originale Nachricht -----
> Von: David Jones <dj...@ena.com>
> Gesendet: 11.12.17 - 17:27
> An: users@spamassassin.apache.org
> Betreff: Re: Flakey spam email. How to filter?
>
>> On 12/11/2017 09:44 AM, Mark London wrote:
>>> I'm getting a lot of flakey spam messages, that don't trigger any
>>> significant spamassassin rules, even though it obviously looks really
>>> bogus.
>>>
>>> Here's an example. Any suggestions?
>>>
>>> https://pastebin.com/bZUt0ThS
>>>
>>> These spams are being sent to my gmail account, and then forwarded to my
>>> work address I tried stripping off all the forwarding headers, but it
>>> doesn't trigger any RBLs
>>>
>>> Thanks for any help.
>>>
>>> - Mark
>>>
>>>
>>>
>>
>> It's going to be very difficult to filter mail properly that has been
>> forwarded from Gmail. Why would you want to do this anyway? Report it
>> as Spam at Gmail and let Google block it for you and everyone else on
>> Gmail and G-Suite.
>>
>> If you want to continue this mail flow and use Spamassassin, I would
>> recommend using POP to pull the email from Google and not forward it
>> which breaks a lot of stuff like SPF. You will need to setup your
>> trusted_networks to cover all of Google's mail servers IPs listed in
>> their SPF record to get RBLs to work correctly which could be challenging.
>>
>> I ran that email through my filters and it scored a 12.5 for me. Make
>> sure you have DCC installed and working. I realize that time has passed
>> so DCC may not have hit the original SMTP receive time but still it
>> should have scored well above 6.0 based on properly trained Bayes and
>> some other SA hits:
>>
>> 0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 1.2 BAYES_50 BODY: Bayes spam probability is 40 to 60%
>> [score: 0.5000]
>> 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>> 0.8 HTML_TAG_BALANCE_HEAD BODY: HTML has unbalanced "head" tags
>> 1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit
>> characters
>> 2.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
>> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
>> necessarily valid
>> 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
>> 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
>> 0.2 KAM_HUGEIMGSRC Message contains many image tags with huge
>> http urls
>> 2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next
>> lvl has num-num
>>
>> That IP of 158.69.185.128 is not listed on any RBLs so it's pretty much
>> left to SA content-based rules like DCC, Bayes, and a few others above.
>>
>> --
>> David Jones
>
--
David Jones
Re: Flakey spam email. How to filter?
Posted by RW <rw...@googlemail.com>.
On Mon, 11 Dec 2017 21:55:08 +0100 (GMT+01:00)
Tobi wrote:
> @Dave
> you're sure that trusted_networks must be changed in case of fetching
> mails? I fetch mines from gmail too and sa always has the correct
> first non trusted relay. Without changing *_networks. With fetching
> you do not get an smtp received header so sa jumps to the next relay.
There's special handling for fetchmail that causes the network
parsing to restart inside the remote network. getmail works because SA
can't parse it's header and just skips over it. Other retrievers that
'just work' are probably unparsable too.
The only problem is that it requires some vigilance in case an SA
user sees the unparsable relay as a bug and submits a patch to bodge
the header into a parsable form. This happened with getmail last year.
Bug 6420 had a patch to make the fetchmail support generic, but it
wasn't committed.
Re: Flakey spam email. How to filter?
Posted by Tobi <ja...@gmx.ch>.
@Dave
you're sure that trusted_networks must be changed in case of fetching mails? I fetch mines from gmail too and sa always has the correct first non trusted relay. Without changing *_networks. With fetching you do not get an smtp received header so sa jumps to the next relay. And (at least from what I see in my gmail mails) the first smtp received header without a private ip address is the one that handsoff to gmail aka the one to feed to sa
Chees
tobi
----- Originale Nachricht -----
Von: David Jones <dj...@ena.com>
Gesendet: 11.12.17 - 17:27
An: users@spamassassin.apache.org
Betreff: Re: Flakey spam email. How to filter?
> On 12/11/2017 09:44 AM, Mark London wrote:
>> I'm getting a lot of flakey spam messages, that don't trigger any
>> significant spamassassin rules, even though it obviously looks really
>> bogus.
>>
>> Here's an example. Any suggestions?
>>
>> https://pastebin.com/bZUt0ThS
>>
>> These spams are being sent to my gmail account, and then forwarded to my
>> work address I tried stripping off all the forwarding headers, but it
>> doesn't trigger any RBLs
>>
>> Thanks for any help.
>>
>> - Mark
>>
>>
>>
>
> It's going to be very difficult to filter mail properly that has been
> forwarded from Gmail. Why would you want to do this anyway? Report it
> as Spam at Gmail and let Google block it for you and everyone else on
> Gmail and G-Suite.
>
> If you want to continue this mail flow and use Spamassassin, I would
> recommend using POP to pull the email from Google and not forward it
> which breaks a lot of stuff like SPF. You will need to setup your
> trusted_networks to cover all of Google's mail servers IPs listed in
> their SPF record to get RBLs to work correctly which could be challenging.
>
> I ran that email through my filters and it scored a 12.5 for me. Make
> sure you have DCC installed and working. I realize that time has passed
> so DCC may not have hit the original SMTP receive time but still it
> should have scored well above 6.0 based on properly trained Bayes and
> some other SA hits:
>
> 0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.2 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.5000]
> 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 0.8 HTML_TAG_BALANCE_HEAD BODY: HTML has unbalanced "head" tags
> 1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit
> characters
> 2.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily valid
> 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
> 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> 0.2 KAM_HUGEIMGSRC Message contains many image tags with huge
> http urls
> 2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next
> lvl has num-num
>
> That IP of 158.69.185.128 is not listed on any RBLs so it's pretty much
> left to SA content-based rules like DCC, Bayes, and a few others above.
>
> --
> David Jones
Re: Flakey spam email. How to filter?
Posted by David Jones <dj...@ena.com>.
On 12/11/2017 09:44 AM, Mark London wrote:
> I'm getting a lot of flakey spam messages, that don't trigger any
> significant spamassassin rules, even though it obviously looks really
> bogus.
>
> Here's an example. Any suggestions?
>
> https://pastebin.com/bZUt0ThS
>
> These spams are being sent to my gmail account, and then forwarded to my
> work address I tried stripping off all the forwarding headers, but it
> doesn't trigger any RBLs
>
> Thanks for any help.
>
> - Mark
>
>
>
It's going to be very difficult to filter mail properly that has been
forwarded from Gmail. Why would you want to do this anyway? Report it
as Spam at Gmail and let Google block it for you and everyone else on
Gmail and G-Suite.
If you want to continue this mail flow and use Spamassassin, I would
recommend using POP to pull the email from Google and not forward it
which breaks a lot of stuff like SPF. You will need to setup your
trusted_networks to cover all of Google's mail servers IPs listed in
their SPF record to get RBLs to work correctly which could be challenging.
I ran that email through my filters and it scored a 12.5 for me. Make
sure you have DCC installed and working. I realize that time has passed
so DCC may not have hit the original SMTP receive time but still it
should have scored well above 6.0 based on properly trained Bayes and
some other SA hits:
0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
0.0 HTML_MESSAGE BODY: HTML included in message
1.2 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.8 HTML_TAG_BALANCE_HEAD BODY: HTML has unbalanced "head" tags
1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit
characters
2.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.2 KAM_HUGEIMGSRC Message contains many image tags with huge
http urls
2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next
lvl has num-num
That IP of 158.69.185.128 is not listed on any RBLs so it's pretty much
left to SA content-based rules like DCC, Bayes, and a few others above.
--
David Jones
Re: Flakey spam email. How to filter?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 11 Dec 2017, at 10:44 (-0500), Mark London wrote:
> I'm getting a lot of flakey spam messages, that don't trigger any
> significant spamassassin rules, even though it obviously looks really
> bogus.
>
> Here's an example. Any suggestions?
>
> https://pastebin.com/bZUt0ThS
>
> These spams are being sent to my gmail account, and then forwarded to
> my work address I tried stripping off all the forwarding headers, but
> it doesn't trigger any RBLs
As Dave said, this is deeply suboptimal for filtering. Unless you've got
some way to make SA look past the Google relays, you'll never see DNSBL
hits for the SMTP source, because you'll only see Google. For URIDNSBLs,
on body URIs you might get better luck but if you're early in the spam
run you might not.
FWIW, Dave's scoring is highly customized and uses KAM's additional
rules, but even a closer-to-default rig thinks that is spam:
Content analysis details: (5.7 points, 5.0 required)
pts rule name description
---- ---------------------- ---------------------------
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in
DNS
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
-1.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0047]
0.8 HTML_TAG_BALANCE_HEAD BODY: HTML has unbalanced "head" tags
1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit
characters
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not
valid
2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next
lvl has num-num
Note that bad Bayes score, which is because my system never sees this
sort of spam.
Also: I noticed something interesting in that spam that I'm working on
rules for...
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: Flakey spam email. How to filter?
Posted by Pedro David Marco <pe...@yahoo.com>.
Mark you are right: mix of upper and lower letters + huge div height (500px) + HTML email with no HTML tag + suspicious URLs + suspicious (to me) mailer (i cannot find much in google about moonray mailer)...
i wish SA had a rule to test only the HTML tags... (rawbody - body)... maybe this can be a good idea for a plugin... does anyone know if it does already exists?
----PedroD
Re: Flakey spam email. How to filter?
Posted by Mark London <mr...@psfc.mit.edu>.
On 12/11/2017 10:59 AM, Reindl Harald wrote:
> Am 11.12.2017 um 16:44 schrieb Mark London:
>> I'm getting a lot of flakey spam messages, that don't trigger any
>> significant spamassassin rules, even though it obviously looks really
>> bogus.
>> Here's an example. Any suggestions?
>> https://pastebin.com/bZUt0ThS
>> These spams are being sent to my gmail account, and then forwarded to
>> my work address I tried stripping off all the forwarding headers,
>> but it doesn't trigger any RBLs
>
> don't mangle samples!
> you make it impossible to helping others
> S25R_4 is pretty sure caused by your touching
> Content analysis details: (10.0 points, 5.5 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 3.0 DKIM_ADSP_NXDOMAIN No valid author signature and domain not
> in DNS
> 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.5000]
> 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 1.5 HTML_TAG_BALANCE_HEAD BODY: HTML has unbalanced "head" tags
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily valid
> 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> 0.0 T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
> 1.0 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
> 2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next
> lvl has num-num
> 0.1 BOGOFILTER_UNSURE BOGOFILTER: message is Unsure with
> bogofilter-score
> 0.5000
Sorry, I tried to strip off the forwarding headers. But for some
reason, that triggers 25R_4. Here's the full email.
https://pastebin.com/mssjURra
I wonder why it doesn't trigger any image rules.
HTML_TAG_BALANCE_HEAD was not enabled rule for me, so I enabled it. I
also increased the score of DKIM_ADSP_NXDOMAIN.
Still, it seems so bogus an email, because of it's manually created html
(href and img includes both upper and lower case characters), that a
more major rule should be catching it, maybe?
- Mark