TO: and FROM: line are the same.

[Michael Hutchinson <mh...@manux.co.nz>]

Hello,

 

There was some discussion on this list a while back about catching Spam
that contains the same E-Mail address in the TO and FROM lines. I think
it was decided that this could not be done, for some reason. I just read
a post on the SARE mailing list from Tom Brown containing some rules
that might help people that want to catch these types of Spam, or at
least write their own rules for their Site(s). They lint OK, and appear
to work for me.

 

The original post is as follows (Happy New Year!):

 

Subject: [Sare-users] forged bounces...

 

these rules might be usefull. I woke up to a slew of these in my
inbox...

my thinking in the score of 1 for TOM_TO_EQ_FR is that legit messages of
this form should look VERY legit and be unlikely to score high...

 

header   __TOM_TO_EQ_FRa ALL =~
m/^From:\s+?<?(.+@.+)>?(\s|$)[^\0]*^To:.*\1/m

header   __TOM_TO_EQ_FRb ALL =~
m/^To:\s+?<?(.+@.+)>?(\s|$)[^\0]*^From:.*\1/m

meta     TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb

score    TOM_TO_EQ_FR 1

describe TOM_TO_EQ_FR To and From are the same, could be a cc or a
forgery

 

header   __TOM_BOUNCE Subject =~ /(This mail is refused
message|\*\*Message you sent blocked by our bulk email filter\*\*|Your
message could not be delivered|Non delivery report: 5.9.4 \(Spam
SLS\/RBL\)|Please confirm your message|Returned mail: Quota exceeded)/

 

meta     TOM_BAD_BOUNCE __TOM_BOUNCE && TOM_TO_EQ_FR

describe TOM_BAD_BOUNCE looks like a forged bounce (known sub and
to==from)

score    TOM_BAD_BOUNCE 2.5

 

 

Re: TO: and FROM: line are the same.

[Benny Pedersen <me...@junc.org>]

On Mon, January 5, 2009 03:45, mouss wrote:
> I think it is wrong to focus on sender=rcpt.
> "they" chose the sender...

and i need to test from outside how good my whitelist_from works or
even test that if my spf record is not strict to reject mail from
0.0.0.0/0 :))

the postfwd rule does test domains olso that have no spf

see archives on it

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: TO: and FROM: line are the same.

[mouss <mo...@ml.netoyen.net>]

Michael Hutchinson a écrit :
> Hello,
> 
>  
> 
> There was some discussion on this list a while back about catching Spam
> that contains the same E-Mail address in the TO and FROM lines. I think
> it was decided that this could not be done, for some reason. I just read
> a post on the SARE mailing list from Tom Brown containing some rules
> that might help people that want to catch these types of Spam, or at
> least write their own rules for their Site(s). They lint OK, and appear
> to work for me.
> 
>  

it's asu suaul: if you have spam missed by SA, post samples somewhere.

I have posted a trivialware plugin that checks that. but to tell you the
truth, I'm not using it. I think it is wrong to focus on sender=rcpt.
"they" chose the sender...

RE: TO: and FROM: line are the same.

[Michael Hutchinson <mh...@manux.co.nz>]

I was just supplying info I found that related to an earlier discussion,
that might be useful to some rule writers out there. I found it
interesting that someone had discovered how to match TO and FROM in S.A.
But yes, MTA level would be better. Sorry if I missed any archives that
detailed successful SA To and From matching - Mike out.



> -----Original Message-----
> From: Sahil Tandon [mailto:sahil@tandon.net]
> Sent: 5 January 2009 12:43 p.m.
> To: users@spamassassin.apache.org
> Subject: Re: TO: and FROM: line are the same.
> 
> Matt Kettler wrote:
> 
> > > There was some discussion on this list a while back about catching
> > > Spam that contains the same E-Mail address in the TO and FROM
lines. I
> > > think it was decided that this could not be done, for some reason.
> > >
> > I don't know that anyone said it couldn't be done. It is however
rather
> > expensive. That long multi-header regex could take a very long time
to
> > run because it may have to scan the entire header block if one of
the
> > From/To headers is missing.
> >
> > Besides, Most "to and from are same" problems really boil down to
> > "unauthorized host forging my domain as the sender and delivering
mail
> > to my server". There are many ways to deal with this problem already
if
> > it also occurs in the envelope FROM. SPF for example.
> 
> Another option would be to simply block such emails (those with
ENVELOPE
> FROM == TO) at the MTA, before passing mail to SpamAssassin.  The OP
> should read the archives for discussion about the pros and cons.
> 
> --
> Sahil Tandon <sa...@tandon.net>

Re: TO: and FROM: line are the same.

[Sahil Tandon <sa...@tandon.net>]

Matt Kettler wrote:

> > There was some discussion on this list a while back about catching
> > Spam that contains the same E-Mail address in the TO and FROM lines. I
> > think it was decided that this could not be done, for some reason.
> >
> I don't know that anyone said it couldn't be done. It is however rather
> expensive. That long multi-header regex could take a very long time to
> run because it may have to scan the entire header block if one of the
> From/To headers is missing.
> 
> Besides, Most "to and from are same" problems really boil down to
> "unauthorized host forging my domain as the sender and delivering mail
> to my server". There are many ways to deal with this problem already if
> it also occurs in the envelope FROM. SPF for example.

Another option would be to simply block such emails (those with ENVELOPE
FROM == TO) at the MTA, before passing mail to SpamAssassin.  The OP
should read the archives for discussion about the pros and cons.

-- 
Sahil Tandon <sa...@tandon.net>

Re: TO: and FROM: line are the same.

[Theo Van Dinter <fe...@apache.org>]

On Sun, Jan 04, 2009 at 05:28:45PM -0500, Matt Kettler wrote:
> I don't know that anyone said it couldn't be done. It is however rather
> expensive. That long multi-header regex could take a very long time to
> run because it may have to scan the entire header block if one of the
> From/To headers is missing.

fwiw, in 3.1 there was a rule to look for this stuff (FROM_AND_TO_SAME) using
an eval rule (would now be a plugin), which is much more efficient for this
type of thing than a RE rule.

I don't recall the details, but since it's not in 3.2, I would say that the
rule was found not to provide useful results and was removed.  The 3.1
STATISTICS files say:

STATISTICS-set0.txt:  0.009   0.0113   0.0019    0.857   0.30    0.00 FROM_AND_TO_SAME
STATISTICS-set1.txt:  0.008   0.0105   0.0019    0.848   0.30    0.00 FROM_AND_TO_SAME
STATISTICS-set2.txt:  0.008   0.0105   0.0019    0.848   0.30    0.00 FROM_AND_TO_SAME
STATISTICS-set3.txt:  0.010   0.0129   0.0019    0.873   0.30    0.00 FROM_AND_TO_SAME

So that's pretty horrible.  The situation may be different now, but someone
would have to do a test run to see what the results are given newer mails.

-- 
Randomly Selected Tagline:
"No prisoner's dilemma here.  Over the long term, symbiosis is more
 useful than parasitism.  More fun, too.  Ask any mitochondria." - Larry Wall

Re: TO: and FROM: line are the same.

[Matt Kettler <mk...@verizon.net>]

Michael Hutchinson wrote:
>
> Hello,
>
>  
>
> There was some discussion on this list a while back about catching
> Spam that contains the same E-Mail address in the TO and FROM lines. I
> think it was decided that this could not be done, for some reason.
>
I don't know that anyone said it couldn't be done. It is however rather
expensive. That long multi-header regex could take a very long time to
run because it may have to scan the entire header block if one of the
From/To headers is missing.

Besides, Most "to and from are same" problems really boil down to
"unauthorized host forging my domain as the sender and delivering mail
to my server". There are many ways to deal with this problem already if
it also occurs in the envelope FROM. SPF for example.