You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@earthlink.net> on 2005/11/01 03:37:54 UTC
Re: OK guys - why did this one get through.
On Monday 31 October 2005 04:22 pm, jdow wrote:
> ===8<---
> Status: U
> Return-Path: <pa...@pattersonbunweb.com>
> Received: from smtp.earthlink.net [209.86.93.209]
> by localhost with POP3 (fetchmail-6.2.5)
> for jdow@morticia.wizardess.wiz (single-drop); Mon, 31 Oct 2005 03:55:59
> -0800 (PST) Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
> by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> 1ewyfT2wu3Nl3490 for <jd...@earthlink.net>; Mon, 31 Oct 2005 06:55:12
> -0500 (EST) Received: from mx15.stngva01.us.mxservers.net
> (204.202.242.101)
> by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
> for <jd...@earthlink.net>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
> pattersonbunweb.com) by mx15.stngva01.us.mxservers.net
> (mxl_mta-1.3.8-10p4) with ESMTP id
> 02606634.9450.122.mx15.stngva01.us.mxservers.net;
> Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Received: (from patt12@localhost)
> by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
> Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> (envelope-from patt12)
> Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Message-Id: <20...@pattersonbunweb.com>
> To: jdow@earthlink.net
> Subject: E-Mail ID #356042 PayPal Security Notification of Limited
> Account Access [28 Oct 2005 15:36:12 +0400]
> Content-Type: text/html; charset=us-ascii
> From: "service@paypaI.com" <se...@paypaI.com>
> Reply-to: "service@paypaI.com" <se...@paypaI.com>
> Content-Transfer-Encoding: 7bit
> X-Accept-Language: en-us, en
X-Spam-Flag: YES
X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
spamtraq-heur=0.956(2005103001)] X-MAIL-FROM:
> <pa...@pattersonbunweb.com>
> X-SOURCE-IP: [207.56.100.245]
> X-Loop-Detect:1
> X-DistLoop-Detect:1
> X-ELNK-AV: 0
> X-NKVIR: Scanned
> ===8<---
> (The "X-MAIL-FROM:" header seems like an obvious tool. However some of
> the SARE rules probably should have triggered and didn't. These rule SARE
> sets nominally hit paypal spam:
> 70_sare_genlsubj1.cf
> 70_sare_header.cf
> 70_sare_spoof.cf <-- this one really should have caught it.
>
> {^_^}
Where did the X-Spam-Flag: YES tag come from? I'm not much good on this but
could it be since it already had a flag that it was skipped by SA?
--
Chris
Registered Linux User 283774 http://counter.li.org
20:35:58 up 25 days, 57 min, 3 users, load average: 0.42, 2.08, 2.39
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Honi soit la vache qui rit.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: OK guys - why did this one get through.
Posted by jdow <jd...@earthlink.net>.
From: "Chris" <cp...@earthlink.net>
> On Monday 31 October 2005 04:22 pm, jdow wrote:
>> ===8<---
>> Status: U
>> Return-Path: <pa...@pattersonbunweb.com>
>> Received: from smtp.earthlink.net [209.86.93.209]
>> by localhost with POP3 (fetchmail-6.2.5)
>> for jdow@morticia.wizardess.wiz (single-drop); Mon, 31 Oct 2005 03:55:59
>> -0800 (PST) Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
>> by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
>> 1ewyfT2wu3Nl3490 for <jd...@earthlink.net>; Mon, 31 Oct 2005 06:55:12
>> -0500 (EST) Received: from mx15.stngva01.us.mxservers.net
>> (204.202.242.101)
>> by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
>> for <jd...@earthlink.net>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>> Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
>> pattersonbunweb.com) by mx15.stngva01.us.mxservers.net
>> (mxl_mta-1.3.8-10p4) with ESMTP id
>> 02606634.9450.122.mx15.stngva01.us.mxservers.net;
>> Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>> Received: (from patt12@localhost)
>> by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
>> Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>> (envelope-from patt12)
>> Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>> Message-Id: <20...@pattersonbunweb.com>
>> To: jdow@earthlink.net
>> Subject: E-Mail ID #356042 PayPal Security Notification of Limited
>> Account Access [28 Oct 2005 15:36:12 +0400]
>> Content-Type: text/html; charset=us-ascii
>> From: "service@paypaI.com" <se...@paypaI.com>
>> Reply-to: "service@paypaI.com" <se...@paypaI.com>
>> Content-Transfer-Encoding: 7bit
>> X-Accept-Language: en-us, en
> X-Spam-Flag: YES
> X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
> spamtraq-heur=0.956(2005103001)] X-MAIL-FROM:
>> <pa...@pattersonbunweb.com>
>> X-SOURCE-IP: [207.56.100.245]
>> X-Loop-Detect:1
>> X-DistLoop-Detect:1
>> X-ELNK-AV: 0
>> X-NKVIR: Scanned
>> ===8<---
>> (The "X-MAIL-FROM:" header seems like an obvious tool. However some of
>> the SARE rules probably should have triggered and didn't. These rule SARE
>> sets nominally hit paypal spam:
>> 70_sare_genlsubj1.cf
>> 70_sare_header.cf
>> 70_sare_spoof.cf <-- this one really should have caught it.
>>
>> {^_^}
>
> Where did the X-Spam-Flag: YES tag come from? I'm not much good on this but
> could it be since it already had a flag that it was skipped by SA?
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 JD_MY_NAME To my ids at Earthlink.
0.1 JD_TO_EARTHLINK To somebody at @earthlink.net specifically
0.0 HTML_90_100 BODY: Message is 90% to 100% HTML
0.4 HTML_SHORT_LENGTH BODY: HTML is extremely short
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5042]
0.9 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
3.3 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
0.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?204.202.242.24>]
0.3 DNS_FROM_AHBL_RHSBL RBL: From: sender listed in dnsbl.ahbl.org
0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
In otherwords it was caught by accident rather than anything else. It was
NOT caught by a paypal rule. It should have been. It's not from paypal.
It does not go near paypal mailing hosts. Yet it's not caught except by
accident of it being short html mimed image only. It should have triggered
PayPal scam rules.
Gee, I'd hoped someone would run the headers and tell me how it would
be caught as a PayPal forgery, which it quite obviously is.
{^_-}
Re: OK guys - why did this one get through.
Posted by jdow <jd...@earthlink.net>.
From: "mouss" <us...@free.fr>
> jdow a écrit :
>
>> From: "mouss" <us...@free.fr>
>>
>>
>> Well, you sort of got it. But the from IS paypal.com, it claims. And
>> there is no appropriate paypal received from.
>
> no, he has a "nasty" mispelling there. it's paypaI, with an 'I'. the spammer clearly did
> efforts to avoid the rules!
> even if this is added, spammers will still be able to use: paypall.com, paypol.com,
> paypaal.com, paypa1.com, praypal.com, ....
>
> should the rules be fuzzy?
Not in all cases. "ebav.com" looks enough like ebay.com that anybody
who has it should expect to get blacklisted.
pa(y|v)pa(l|l|I) owners other than "paypal" should also expect problems.
None of them appear to be sensible as business names, either, and if
used may constitute trademark infringement. (Toys-R-Us is considered
an infringement on the trademark that has the R reversed, I believe.)
{^_^}
Re: OK guys - why did this one get through.
Posted by mouss <us...@free.fr>.
jdow a écrit :
> From: "mouss" <us...@free.fr>
>
>
> Well, you sort of got it. But the from IS paypal.com, it claims. And
> there is no appropriate paypal received from.
no, he has a "nasty" mispelling there. it's paypaI, with an 'I'. the
spammer clearly did efforts to avoid the rules!
even if this is added, spammers will still be able to use: paypall.com,
paypol.com, paypaal.com, paypa1.com, praypal.com, ....
should the rules be fuzzy?
Re: OK guys - why did this one get through.
Posted by Andy Jezierski <aj...@stepan.com>.
"Fred" <sp...@freddyt.com> wrote on 11/01/2005 09:21:28 AM:
> jdow wrote:
> > Well, you sort of got it. But the from IS paypal.com, it claims. And
> > there is no appropriate paypal received from.
> >
>
> The Spoof rules look specifically for paypaL.com in the from line, this
guy
> used paypaI notice I not L, I'll include this mis-spelling in the next
> update of the spoof set.
>
You may also want to throw in a check for the number one (1) while you're
at it. Since 1 & l look an awful lot alike, probably won't take long for
someone to start using that as well.
Andy
Re: OK guys - why did this one get through.
Posted by Fred <sp...@freddyt.com>.
jdow wrote:
> Well, you sort of got it. But the from IS paypal.com, it claims. And
> there is no appropriate paypal received from.
>
The Spoof rules look specifically for paypaL.com in the from line, this guy
used paypaI notice I not L, I'll include this mis-spelling in the next
update of the spoof set.
Re: OK guys - why did this one get through.
Posted by jdow <jd...@earthlink.net>.
From: "mouss" <us...@free.fr>
> Chris a écrit :
>
>>On Monday 31 October 2005 04:22 pm, jdow wrote:
>>
>>>===8<---
>>>Status: U
>>>Return-Path: <pa...@pattersonbunweb.com>
>>>Received: from smtp.earthlink.net [209.86.93.209]
>>> by localhost with POP3 (fetchmail-6.2.5)
>>> for jdow@morticia.wizardess.wiz (single-drop); Mon, 31 Oct 2005 03:55:59
>>>-0800 (PST) Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
>>> by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
>>>1ewyfT2wu3Nl3490 for <jd...@earthlink.net>; Mon, 31 Oct 2005 06:55:12
>>>-0500 (EST) Received: from mx15.stngva01.us.mxservers.net
>>>(204.202.242.101)
>>> by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
>>> for <jd...@earthlink.net>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>>>Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
>>>pattersonbunweb.com) by mx15.stngva01.us.mxservers.net
>>>(mxl_mta-1.3.8-10p4) with ESMTP id
>>>02606634.9450.122.mx15.stngva01.us.mxservers.net;
>>> Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>>>Received: (from patt12@localhost)
>>> by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
>>> Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>>> (envelope-from patt12)
>>>Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>>>Message-Id: <20...@pattersonbunweb.com>
>>>To: jdow@earthlink.net
>>>Subject: E-Mail ID #356042 PayPal Security Notification of Limited
>>>Account Access [28 Oct 2005 15:36:12 +0400]
>>>Content-Type: text/html; charset=us-ascii
>>>From: "service@paypaI.com" <se...@paypaI.com>
>>>Reply-to: "service@paypaI.com" <se...@paypaI.com>
>>>Content-Transfer-Encoding: 7bit
>>>X-Accept-Language: en-us, en
>>>
>>X-Spam-Flag: YES
>>X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
>>spamtraq-heur=0.956(2005103001)] X-MAIL-FROM:
>>
>>><pa...@pattersonbunweb.com>
>>>X-SOURCE-IP: [207.56.100.245]
>>>X-Loop-Detect:1
>>>X-DistLoop-Detect:1
>>>X-ELNK-AV: 0
>>>X-NKVIR: Scanned
>>>===8<---
>>>(The "X-MAIL-FROM:" header seems like an obvious tool. However some of
>>>the SARE rules probably should have triggered and didn't. These rule SARE
>>>sets nominally hit paypal spam:
>>>70_sare_genlsubj1.cf
>>>70_sare_header.cf
>>>70_sare_spoof.cf <-- this one really should have caught it.
>>>
>>>{^_^}
>>>
>>
>>Where did the X-Spam-Flag: YES tag come from? I'm not much good on this but could it be
>>since it already had a flag that it was skipped by SA?
>>
> That would make SA useless. any spammer can add that header.
>
> anyway, 70_sare_spoof.cf wan't catch this From. it catches spam when the
>>>From is a paypal address but the Received headers don't contain a paypal
> hop.
Well, you sort of got it. But the from IS paypal.com, it claims. And
there is no appropriate paypal received from.
{^_-}
Re: OK guys - why did this one get through.
Posted by mouss <us...@free.fr>.
Chris a écrit :
>On Monday 31 October 2005 04:22 pm, jdow wrote:
>
>
>>===8<---
>>Status: U
>>Return-Path: <pa...@pattersonbunweb.com>
>>Received: from smtp.earthlink.net [209.86.93.209]
>> by localhost with POP3 (fetchmail-6.2.5)
>> for jdow@morticia.wizardess.wiz (single-drop); Mon, 31 Oct 2005 03:55:59
>>-0800 (PST) Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
>> by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
>>1ewyfT2wu3Nl3490 for <jd...@earthlink.net>; Mon, 31 Oct 2005 06:55:12
>>-0500 (EST) Received: from mx15.stngva01.us.mxservers.net
>>(204.202.242.101)
>> by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
>> for <jd...@earthlink.net>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>>Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
>>pattersonbunweb.com) by mx15.stngva01.us.mxservers.net
>>(mxl_mta-1.3.8-10p4) with ESMTP id
>>02606634.9450.122.mx15.stngva01.us.mxservers.net;
>> Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>>Received: (from patt12@localhost)
>> by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
>> Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>> (envelope-from patt12)
>>Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>>Message-Id: <20...@pattersonbunweb.com>
>>To: jdow@earthlink.net
>>Subject: E-Mail ID #356042 PayPal Security Notification of Limited
>>Account Access [28 Oct 2005 15:36:12 +0400]
>>Content-Type: text/html; charset=us-ascii
>>From: "service@paypaI.com" <se...@paypaI.com>
>>Reply-to: "service@paypaI.com" <se...@paypaI.com>
>>Content-Transfer-Encoding: 7bit
>>X-Accept-Language: en-us, en
>>
>>
>X-Spam-Flag: YES
>X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
>spamtraq-heur=0.956(2005103001)] X-MAIL-FROM:
>
>
>><pa...@pattersonbunweb.com>
>>X-SOURCE-IP: [207.56.100.245]
>>X-Loop-Detect:1
>>X-DistLoop-Detect:1
>>X-ELNK-AV: 0
>>X-NKVIR: Scanned
>>===8<---
>>(The "X-MAIL-FROM:" header seems like an obvious tool. However some of
>>the SARE rules probably should have triggered and didn't. These rule SARE
>>sets nominally hit paypal spam:
>>70_sare_genlsubj1.cf
>>70_sare_header.cf
>>70_sare_spoof.cf <-- this one really should have caught it.
>>
>>{^_^}
>>
>>
>
>Where did the X-Spam-Flag: YES tag come from? I'm not much good on this but
>could it be since it already had a flag that it was skipped by SA?
>
>
That would make SA useless. any spammer can add that header.
anyway, 70_sare_spoof.cf wan't catch this From. it catches spam when the
>From is a paypal address but the Received headers don't contain a paypal
hop.