You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by George Johnson <ge...@talaya.net> on 2014/09/04 20:02:27 UTC
Re: new kind of spam with bizarre custom headers getting through
I'm getting another slew of these this morning, all with a variety of strange
headers added apparently to foil spam filtering. All are getting through my
spamassassin set up, which is usually nearly bulletproof. Typical headers
are:
Imbrue-Gaol: 17169949.17169949
Manila-Cairn: 12616748.12616748
Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854
Fungus-Onus: 1716994978c35d32dc879cf5ccd83e99e6458854
Ernest-Phlox: 953-17169949
I have Bayes, Uribl-black, Spamcop, Pyzor, Razor, etc., enabled. Here is
one of the headers with my addresses redacted:
From: Shane Murphy <sh...@backgroundchecktruth.club>
Subject: Re: Your background may have been searched by your employer.
Date: September 4, 2014 11:13:35 AM MDT
To: George Johnson <>
Return-Path: <sh...@backgroundchecktruth.club>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sanacacio.net
X-Spam-Level: **
X-Spam-Status: No, score=2.2 required=4.3 tests=BAYES_20,
RCVD_IN_BRBL_LASTEXT, RDNS_NONE,SPF_HELO_PASS,SPF_PASS autolearn=no
version=3.3.1
X-Spam-Asn: AS6939 64.187.96.0/19
X-Original-To:
Delivered-To:
Received: from backgroundchecktruth.club (unknown [64.187.117.226]) by
sanacacio.net (Postfix) with ESMTP id 2F3EE62E5CB0 for
<ge...@talaya.net>; Thu, 4 Sep 2014 11:15:21 -0600 (MDT)
Imbrue-Gaol: 17169949.17169949
Manila-Cairn: 12616748.12616748
Mime-Version: 1.0
Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854
Fungus-Onus: 1716994978c35d32dc879cf5ccd83e99e6458854
Ernest-Phlox: 953-17169949
Message-Id:
<0....@backgroundchecktruth.club>
Content-Type: text/plain
Is anyone else seeing these get through? Any advice would be appreciated.
George Johnson wrote
> This morning a flood of spam started getting through my SpamAssassin
> filter. What the emails all have in common are bizarre headers like these:
>
> Brazil-Ichth: 8337271
> Mime-Version: 1.0
> Bayley-Smith: 5083158-78c35d32dc879cf5ccd83e99e6458854
> Content-Type: text/plain
> Donica-Mis: 5083158.8337271
> Message-Id:
> <0....@lowhomewarrantychoice.club>
> Piolet-Seral: 5083158.10
> Roarer-Royce: 8337271
>
> and these:
>
> Inkless-Retro: 3118962
> Content-Type: text/plain
> Featly-Unbd: 78c35d32dc879cf5ccd83e99e64588543118962
> Expose-Taft: 3118962.1584541
> Epistle-Main: 3118962.78c35d32dc879cf5ccd83e99e6458854
> Caroled-Jhvh: 78c35d32dc879cf5ccd83e99e6458854
> Alibi-Fete: 15845411584541
>
> This seems to be flummoxing SpamAssassin, or at least my setup.
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/new-kind-of-spam-with-bizarre-custom-headers-getting-through-tp111494p111533.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new kind of spam with bizarre custom headers getting through
Posted by George Johnson <ge...@talaya.net>.
David F. Skoll wrote
> On Thu, 4 Sep 2014 11:02:27 -0700 (PDT)
> George Johnson <
> georgejohnson@
> > wrote:
>
>> I'm getting another slew of these this morning, all with a variety of
>> strange headers added apparently to foil spam filtering. All are
>> getting through my spamassassin set up, which is usually nearly
>> bulletproof. Typical headers are:
>
>> Imbrue-Gaol: 17169949.17169949
>> Manila-Cairn: 12616748.12616748
>> Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854
>> Fungus-Onus: 1716994978c35d32dc879cf5ccd83e99e6458854
>> Ernest-Phlox: 953-17169949
>
> Yeah, we see tons and tons of them - about 1500 so far today with the
> subject "Re: Your background may have been searched by your employer."
> On our cluster, Bayes is catching them handily. About the only
> SpamAssassin
> rule that fires is RDNS_NONE, and most of them are passing SPF.
>
> Ours all come from "
> shane.icmalerts@
> ". Are
> yours coming from a limited set of senders? Blacklisting those
> senders or domains might do the trick...
>
> Regards,
>
> David.
Thanks very much. I'm getting those and similar ones from more than a dozen
senders. One thing they all have in common is the same long alphanumerical
string, beginning with "78c35d32dc", in one of the weird header fields. For
now I'm going to catch those either with a local header rule or a procmail
filter.
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/new-kind-of-spam-with-bizarre-custom-headers-getting-through-tp111494p111538.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new kind of spam with bizarre custom headers getting through
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Thu, 4 Sep 2014 11:02:27 -0700 (PDT)
George Johnson <ge...@talaya.net> wrote:
> I'm getting another slew of these this morning, all with a variety of
> strange headers added apparently to foil spam filtering. All are
> getting through my spamassassin set up, which is usually nearly
> bulletproof. Typical headers are:
> Imbrue-Gaol: 17169949.17169949
> Manila-Cairn: 12616748.12616748
> Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854
> Fungus-Onus: 1716994978c35d32dc879cf5ccd83e99e6458854
> Ernest-Phlox: 953-17169949
Yeah, we see tons and tons of them - about 1500 so far today with the
subject "Re: Your background may have been searched by your employer."
On our cluster, Bayes is catching them handily. About the only SpamAssassin
rule that fires is RDNS_NONE, and most of them are passing SPF.
Ours all come from "shane.icmalerts@backgroundchecktruth.club". Are
yours coming from a limited set of senders? Blacklisting those
senders or domains might do the trick...
Regards,
David.
Re: new kind of spam with bizarre custom headers getting through
Posted by John Hardin <jh...@impsec.org>.
On Thu, 4 Sep 2014, George Johnson wrote:
> I'm getting another slew of these this morning, all with a variety of strange
> headers added apparently to foil spam filtering. All are getting through my
> spamassassin set up, which is usually nearly bulletproof. Typical headers
> are:
>
> Imbrue-Gaol: 17169949.17169949
> Manila-Cairn: 12616748.12616748
> Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854
> Fungus-Onus: 1716994978c35d32dc879cf5ccd83e99e6458854
> Ernest-Phlox: 953-17169949
Rule added to sandbox. Thanks.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you ask amateurs to act as front-line security personnel,
you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
-----------------------------------------------------------------------
12 days until the 227th anniversary of the signing of the U.S. Constitution
Re: new kind of spam with bizarre custom headers getting through
Posted by George Johnson <ge...@talaya.net>.
sm-7 wrote
> Hi George,
> At 11:02 04-09-2014, George Johnson wrote:
>>I'm getting another slew of these this morning, all with a variety of
strange
>>headers added apparently to foil spam filtering. All are getting through
my
>>spamassassin set up, which is usually nearly bulletproof. Typical headers
>>are:
>>
>> Imbrue-Gaol: 17169949.17169949
>> Manila-Cairn: 12616748.12616748
>> Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854
>> Fungus-Onus: 1716994978c35d32dc879cf5ccd83e99e6458854
>> Ernest-Phlox: 953-17169949
>>
>> I have Bayes, Uribl-black, Spamcop, Pyzor, Razor, etc., enabled. Here is
>>one of the headers with my addresses redacted:
>
> The odd headers change on each run. You should be able to catch them
> with Bayes.
>
> Regards,
> -sm
Thanks. So far the ever-changing headers have been eluding Bayes. But I
added some rbls to Postfix and that has stanched the flow.
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/new-kind-of-spam-with-bizarre-custom-headers-getting-through-tp111494p111585.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new kind of spam with bizarre custom headers getting through
Posted by John Hardin <jh...@impsec.org>.
On Fri, 5 Sep 2014, SM wrote:
> At 11:02 04-09-2014, George Johnson wrote:
>> I'm getting another slew of these this morning, all with a variety of
>> strange
>> headers added apparently to foil spam filtering. All are getting through my
>> spamassassin set up, which is usually nearly bulletproof. Typical headers
>> are:
>>
>> Imbrue-Gaol: 17169949.17169949
>> Manila-Cairn: 12616748.12616748
>> Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854
>> Fungus-Onus: 1716994978c35d32dc879cf5ccd83e99e6458854
>> Ernest-Phlox: 953-17169949
>>
>> I have Bayes, Uribl-black, Spamcop, Pyzor, Razor, etc., enabled. Here is
>> one of the headers with my addresses redacted:
>
> The odd headers change on each run. You should be able to catch them with
> Bayes.
Would someone send me some spamples offlist? Headers only are OK.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance doesn't make stuff not exist. -- Bucky Katt
-----------------------------------------------------------------------
12 days until the 227th anniversary of the signing of the U.S. Constitution
Re: new kind of spam with bizarre custom headers getting
through
Posted by SM <sm...@resistor.net>.
Hi George,
At 11:02 04-09-2014, George Johnson wrote:
>I'm getting another slew of these this morning, all with a variety of strange
>headers added apparently to foil spam filtering. All are getting through my
>spamassassin set up, which is usually nearly bulletproof. Typical headers
>are:
>
> Imbrue-Gaol: 17169949.17169949
> Manila-Cairn: 12616748.12616748
> Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854
> Fungus-Onus: 1716994978c35d32dc879cf5ccd83e99e6458854
> Ernest-Phlox: 953-17169949
>
> I have Bayes, Uribl-black, Spamcop, Pyzor, Razor, etc., enabled. Here is
>one of the headers with my addresses redacted:
The odd headers change on each run. You should be able to catch them
with Bayes.
Regards,
-sm