You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Olivier Coutu <ol...@zerospam.ca> on 2015/08/20 20:42:30 UTC
Hitting an address in the From:name
I got a spearphishing e-mail the other day that had a From with the
following form:
From: "Mister President <pr...@company.com>"
<ph...@freemailer.com>
I attempted to craft a SA rule to catch the "@" in the From:name but I
was unable to catch anything after the "<"
ex:
From:name =~ /Mister President/ hits
From:name =~ /Mister President \</ does not hit
From:name =~ /\@/ does not hit
From:name =~ /company/ does not hit
From =~ /\@.*\@/ hits but is inefficient
I believe that SA may be removing the <pr...@company.com> part from
the From:name, am I correct? Is there any efficient way to detect such
an occurrence of an "@" in the From:name?
Using SA version 3.4.1 on Ubuntu with debug
Re: Hitting an address in the From:name
Posted by Henrik K <he...@hege.li>.
On Thu, Aug 20, 2015 at 02:49:33PM -0400, Joe Quinn wrote:
> Good catch! If you are using a new enough perl you might try the
> following which should have zero backtracking (the + modifier on
> quantifiers works like a cut in prolog):
>
> From =~ /\@[^@]*+\@/
Talking about an overengineered solution lol. :-D Why not simply use the
ancient non-greedy \@.*?\@ that everyone knows.
Re: Hitting an address in the From:name
Posted by Reindl Harald <h....@thelounge.net>.
Am 21.08.2015 um 06:32 schrieb Bill Cole:
> On 20 Aug 2015, at 14:49, Joe Quinn wrote:
>
>> That said, header fields are likely never going to be long enough for
>> what you currently have to be a performance concern.
>>
>> (I was about to say it was impossible, but then I saw there is no
>> length limit on headers:
>> http://stackoverflow.com/questions/2721605/maximum-size-of-email-x-headers)
>>
>
> On the other hand, there's no discernible downside to putting generous
> hard limits outside of (and ahead of) SA for standard headers. No matter
> what the RFCs say, sending mail with 600-byte From or Subject headers is
> not something people who are worth communicating with do intentionally
> and it can be very cheap to reject such junk before SA sees it
correct, but your numbers are too low, you forget encoding, in the
subject there may occur repeatly encoding definitions for single words
postfix "header_checks" below
[root@mail-gw:~]$ cat maillog | grep "Too Long" | wc -l
27
# Restrict Headers
/^Cc:.{20000}/ REJECT Administrative
Prohibition (Cc-Header Too Long)
/^Content\-Type:.{2048}/ REJECT Administrative
Prohibition (Content-Type-Header Too Long)
/^Date:.{2048}/ REJECT Administrative
Prohibition (Date-Header Too Long)
/^From:.{2048}/ REJECT Administrative
Prohibition (From-Header Too Long)
/^Importance:.{2048}/ REJECT Administrative
Prohibition (Importance-Header Too Long)
/^In\-Reply\-To:.{2048}/ REJECT Administrative
Prohibition (In-Reply-To-Header Too Long)
/^Message\-ID:.{2048}/ REJECT Administrative
Prohibition (Message-ID-Header Too Long)
/^Mime\-Version:.{2048}/ REJECT Administrative
Prohibition (Mime-Version-Header Too Long)
/^Newsgroups:.{2048}/ REJECT Administrative
Prohibition (Newsgroups-Header Too Long)
/^Priority:.{2048}/ REJECT Administrative
Prohibition (Priority-Header Too Long)
/^Received:.{2048}/ REJECT Administrative
Prohibition (Received-Header Too Long)
/^References:.{50000}/ REJECT Administrative
Prohibition (References-Header Too Long)
/^Reply\-To:.{2048}/ REJECT Administrative
Prohibition (Reply-To-Header Too Long)
/^Sender:.{2048}/ REJECT Administrative
Prohibition (Sender-Header Too Long)
/^Status:.{2048}/ REJECT Administrative
Prohibition (Status-Header Too Long)
/^Subject:.{1024}/ REJECT Administrative
Prohibition (Subject-Header Too Long)
/^Thread\-Index:.{2048}/ REJECT Administrative
Prohibition (Thread-Index-Header Too Long)
/^Thread\-Topic:.{2048}/ REJECT Administrative
Prohibition (Thread-Topic-Header Too Long)
/^To:.{30000}/ REJECT Administrative
Prohibition (To-Header Too Long)
/^User\-Agent:.{2048}/ REJECT Administrative
Prohibition (User-Agent-Header Too Long)
/^X\-Msmail\-Priority:.{2048}/ REJECT Administrative
Prohibition (X-Msmail-Priority-Header Too Long)
/^X\-Msoesrec:.{2048}/ REJECT Administrative
Prohibition (X-Msoesrec-Header Too Long)
/^X\-Priority:.{2048}/ REJECT Administrative
Prohibition (X-Priority-Header Too Long)
/^X\-Ref:.{2048}/ REJECT Administrative
Prohibition (X-Ref-Header Too Long)
Re: Hitting an address in the From:name
Posted by RW <rw...@googlemail.com>.
On Sat, 22 Aug 2015 12:05:47 +0200
Reindl Harald wrote:
>
> Am 21.08.2015 um 17:38 schrieb RW:
> > On Fri, 21 Aug 2015 14:28:13 +0200
> > The whole point of it is that someone receiving one of the these
> > emails can hit reply-to-all, and it behaves like a mailing list.
> > I've seen this kind of informal mailing list in corporate mail too.
>
> "informal mailing list" - WTF - a simple alias on the MTA with all
> that RCPT's as destination and you even don't need reply-all
In large organizations it's usually more trouble than it's worth to
get that kind of thing set-up. And it involves talking to some BOFH.
> well, i have seen such crap too until i wrote everybody doing this a
> personal mail if he ever will press "reply-all" again or start with
> such a mail i go an drink his blood........
Re: Hitting an address in the From:name
Posted by Reindl Harald <h....@thelounge.net>.
Am 21.08.2015 um 17:38 schrieb RW:
> On Fri, 21 Aug 2015 14:28:13 +0200
> Reindl Harald wrote:
>
>>
>> Am 21.08.2015 um 14:14 schrieb Martin Gregorie:
>
>>> I regularly get sent competition results sheets that your suggestion
>>> would reject. A recent results sheet I received has 62 recipients
>>> occupying 2336 characters. This is neither spam nor an unwanted
>>> e-mail
>>
>> it *is* unwanted mail
>>
>> everybody who lists 62 and more recipients in the To-header should
>> refrain from operate a mail client and get from every RCPT a personal
>> mail back calling him names and point to the BCC option
>
> The whole point of it is that someone receiving one of the these
> emails can hit reply-to-all, and it behaves like a mailing list. I've
> seen this kind of informal mailing list in corporate mail too.
"informal mailing list" - WTF - a simple alias on the MTA with all that
RCPT's as destination and you even don't need reply-all
well, i have seen such crap too until i wrote everybody doing this a
personal mail if he ever will press "reply-all" again or start with such
a mail i go an drink his blood........
Re: Hitting an address in the From:name
Posted by RW <rw...@googlemail.com>.
On Fri, 21 Aug 2015 14:28:13 +0200
Reindl Harald wrote:
>
> Am 21.08.2015 um 14:14 schrieb Martin Gregorie:
> > I regularly get sent competition results sheets that your suggestion
> > would reject. A recent results sheet I received has 62 recipients
> > occupying 2336 characters. This is neither spam nor an unwanted
> > e-mail
>
> it *is* unwanted mail
>
> everybody who lists 62 and more recipients in the To-header should
> refrain from operate a mail client and get from every RCPT a personal
> mail back calling him names and point to the BCC option
The whole point of it is that someone receiving one of the these
emails can hit reply-to-all, and it behaves like a mailing list. I've
seen this kind of informal mailing list in corporate mail too.
Re: Hitting an address in the From:name
Posted by Reindl Harald <h....@thelounge.net>.
Am 21.08.2015 um 14:14 schrieb Martin Gregorie:
> Its quite common to find large recipient lists in newsletters sent by
> committee members in hobby or sports clubs. These clubs generally don't
> have the time or expertise to maintain a listserv. The roles of
> secretary and/or newsletter editor tends to change from year to year
> and, since they'll be sending club newsletters etc. from their own PC,
> its unreasonable to expect them all to use, or even know about, e-mail
> features such as BCC lists.
>
> I regularly get sent competition results sheets that your suggestion
> would reject. A recent results sheet I received has 62 recipients
> occupying 2336 characters. This is neither spam nor an unwanted e-mail
it *is* unwanted mail
everybody who lists 62 and more recipients in the To-header should
refrain from operate a mail client and get from every RCPT a personal
mail back calling him names and point to the BCC option
these dumbasses are feeding spam databases because every infected
destination of such mail has 61 new verified addresses
Re: Hitting an address in the From:name
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 21 Aug 2015, at 11:08, Martin Gregorie wrote:
> On Fri, 2015-08-21 at 10:47 -0400, Bill Cole wrote:
>
>> Your response is a non sequitur.
>>
> Why do you say that? You suggested using what look to be hard limits
> on
> the header's size, though admittedly large ones, which puts my
> comments
> entirely on topic. You might not agree, but that's another matter
> entirely.
On 21 Aug 2015, at 0:32, Bill Cole wrote:
> No matter what the RFCs say, sending mail with 600-byte From or
> Subject headers is not something people who are worth communicating
> with do intentionally and it can be very cheap to reject such junk
> before SA sees it.
That sentence says NOTHING about applying a 600-byte limit to any header
that can validly contain a list of recipients.
On 21 Aug 2015, at 8:14, Martin Gregorie wrote:
> At most this deserves the possibility of writing rules that fire on
> the
> number of recipients of an e-mail. Any default rule, especially with a
> limit as low as 600 characters will do more harm than good. For
> instance, "Martin Gregorie <ma...@gregorie.org>," is 39 characters
> and
> is not unusually long for a mail address. Judging by this, your
> criterion would treat any list with more than about 15 recipients as
> over-long and well out of order.
That paragraphs refers specifically to headers that may be lists of
recipients.
My assertion that a 600-byte limit on From and Subject headers can be
"very cheap" is based on not just the compute cost of identifying such
headers, but also on the *zero* known false positive cost I've
encountered from imposing that limit (or in some cases 510 on header
content) on those headers on diverse mail systems handling hundreds to
millions of SMTP transactions per day over ~20 years. On many of those
systems I have also used a 200-byte limit on Date contents (which is
awfully generous for a header that should always have <50 characters)
with very few hits and no known false positives. I have seen cases where
the very long From or Subject is the result of a broken mail tool or an
innocent unintentional user error but those aren't really false
positives; rather they are cases of broken messages being identified and
stopped further from their sources than they should have been. Mostly,
overlong From & Subject headers seem to be the result of spam via
insecure web forms, proxies, etc. that inhibit spammers from injecting
linebreaks controllably, as the sources usually appear in DNSBL's that
catch such sources rather swiftly after they are first seen.
Re: Hitting an address in the From:name
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2015-08-21 at 10:47 -0400, Bill Cole wrote:
> Your response is a non sequitur.
>
Why do you say that? You suggested using what look to be hard limits on
the header's size, though admittedly large ones, which puts my comments
entirely on topic. You might not agree, but that's another matter
entirely.
I was pointing out that, for people who care about the size of
recipient lists, it would be more useful for SA to count the names in
recipient headers and make this count available to rules and/or to
limit it with a defaulted parameter than to do asnything with the list
size as measured in characters: its far more meaningful to be able to
say 'no more than 3 recipients' than it it to say 'recipient list not
to exceed 150 characters'.
Martin
Re: Hitting an address in the From:name
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 21 Aug 2015, at 8:14, Martin Gregorie wrote:
> On Fri, 2015-08-21 at 00:32 -0400, Bill Cole wrote:
>> On 20 Aug 2015, at 14:49, Joe Quinn wrote:
>>
>>> That said, header fields are likely never going to be long enough
>>> for
>>> what you currently have to be a performance concern.
>>>
>>> (I was about to say it was impossible, but then I saw there is no
>>> length limit on headers:
>>> http://stackoverflow.com/questions/2721605/maximum-size-of-email-x-
>>> headers)
>>
>> On the other hand, there's no discernible downside to putting
>> generous hard limits outside of (and ahead of) SA for standard
>> headers. No matter what the RFCs say, sending mail with 600-byte From
>> or Subject headers is not something people who are worth
>> communicating with do intentionally and it can be very cheap to
>> reject such junk before SA sees it.
>>
> At most this deserves the possibility of writing rules that fire on the
> number of recipients of an e-mail. Any default rule, especially with a
> limit as low as 600 characters will do more harm than good. For
> instance, "Martin Gregorie <ma...@gregorie.org>," is 39 characters and
> is not unusually long for a mail address. Judging by this, your
> criterion would treat any list with more than about 15 recipients as
> over-long and well out of order.
Read what I wrote more carefully. Your response is a non sequitur.
Re: Hitting an address in the From:name
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2015-08-21 at 00:32 -0400, Bill Cole wrote:
> On 20 Aug 2015, at 14:49, Joe Quinn wrote:
>
> > That said, header fields are likely never going to be long enough
> > for
> > what you currently have to be a performance concern.
> >
> > (I was about to say it was impossible, but then I saw there is no
> > length limit on headers:
> > http://stackoverflow.com/questions/2721605/maximum-size-of-email-x-
> > headers)
>
> On the other hand, there's no discernible downside to putting
> generous hard limits outside of (and ahead of) SA for standard
> headers. No matter what the RFCs say, sending mail with 600-byte From
> or Subject headers is not something people who are worth
> communicating with do intentionally and it can be very cheap to
> reject such junk before SA sees it.
>
At most this deserves the possibility of writing rules that fire on the
number of recipients of an e-mail. Any default rule, especially with a
limit as low as 600 characters will do more harm than good. For
instance, "Martin Gregorie <ma...@gregorie.org>," is 39 characters and
is not unusually long for a mail address. Judging by this, your
criterion would treat any list with more than about 15 recipients as
over-long and well out of order.
Its quite common to find large recipient lists in newsletters sent by
committee members in hobby or sports clubs. These clubs generally don't
have the time or expertise to maintain a listserv. The roles of
secretary and/or newsletter editor tends to change from year to year
and, since they'll be sending club newsletters etc. from their own PC,
its unreasonable to expect them all to use, or even know about, e-mail
features such as BCC lists.
I regularly get sent competition results sheets that your suggestion
would reject. A recent results sheet I received has 62 recipients
occupying 2336 characters. This is neither spam nor an unwanted e-mail.
Martin
Re: Hitting an address in the From:name
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 20 Aug 2015, at 14:49, Joe Quinn wrote:
> That said, header fields are likely never going to be long enough for
> what you currently have to be a performance concern.
>
> (I was about to say it was impossible, but then I saw there is no
> length limit on headers:
> http://stackoverflow.com/questions/2721605/maximum-size-of-email-x-headers)
On the other hand, there's no discernible downside to putting generous
hard limits outside of (and ahead of) SA for standard headers. No matter
what the RFCs say, sending mail with 600-byte From or Subject headers is
not something people who are worth communicating with do intentionally
and it can be very cheap to reject such junk before SA sees it.
Re: Hitting an address in the From:name
Posted by Joe Quinn <jq...@pccc.com>.
On 8/20/2015 2:42 PM, Olivier Coutu wrote:
> I got a spearphishing e-mail the other day that had a From with the
> following form:
>
> From: "Mister President <pr...@company.com>"
> <ph...@freemailer.com>
>
> I attempted to craft a SA rule to catch the "@" in the From:name but I
> was unable to catch anything after the "<"
> ex:
> From:name =~ /Mister President/ hits
> From:name =~ /Mister President \</ does not hit
> From:name =~ /\@/ does not hit
> From:name =~ /company/ does not hit
> From =~ /\@.*\@/ hits but is inefficient
>
> I believe that SA may be removing the <pr...@company.com> part
> from the From:name, am I correct? Is there any efficient way to detect
> such an occurrence of an "@" in the From:name?
>
> Using SA version 3.4.1 on Ubuntu with debug
Good catch! If you are using a new enough perl you might try the
following which should have zero backtracking (the + modifier on
quantifiers works like a cut in prolog):
From =~ /\@[^@]*+\@/
That said, header fields are likely never going to be long enough for
what you currently have to be a performance concern.
(I was about to say it was impossible, but then I saw there is no length
limit on headers:
http://stackoverflow.com/questions/2721605/maximum-size-of-email-x-headers)
Re: Hitting an address in the From:name
Posted by John Hardin <jh...@impsec.org>.
On Thu, 20 Aug 2015, Olivier Coutu wrote:
> Le 2015-08-20 15:04, Joe Quinn a écrit :
>> On 8/20/2015 2:56 PM, John Hardin wrote:
>> > On Thu, 20 Aug 2015, Olivier Coutu wrote:
>> > > I believe that SA may be removing the <pr...@company.com> part
>> > > from the From:name, am I correct?
>>
>> Already opened a bug. The fact that From: name =~ /\@/ didn't match is
>> proof enough for me that something is wrong.
>
> I can confirm we have a bug, I followed the instructions and this is what I
> got.
>
> header __ALL_FROMNAME From:name =~ /.*/
>
> aoû 20 15:08:46.025 [3459] dbg: rules: ran header rule __ALL_FROMNAME ======>
> got hit: ""Mister President"
Yeah, the unbalanced quotes are a clue, too. :)
> Thanks for your help, I will use the
>
> From =~ /\@[^\@]*\@/
>
> solution in the meantime.
>
> I can attach the stripped e-mail to the bug if that helps.
Not needed, it's a simple enough case to hand-create.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XXXV: That which does not kill you has made a tactical error.
-----------------------------------------------------------------------
4 days until the 1936th anniversary of the destruction of Pompeii
Re: Hitting an address in the From:name
Posted by Olivier Coutu <ol...@zerospam.ca>.
Le 2015-08-20 15:04, Joe Quinn a écrit :
> On 8/20/2015 2:56 PM, John Hardin wrote:
>> On Thu, 20 Aug 2015, Olivier Coutu wrote:
>>> I believe that SA may be removing the <pr...@company.com> part
>>> from the From:name, am I correct?
>>
>> Define this rule:
>>
>> header __ALL_FROMNAME From:name =~ /.*/
>>
>> ...and run spamassassin on a test message using:
>> --debug area=all,rules,rules-all
>>
>> You'll be able to see exactly what's available to match against.
>>
>> I'd suggest for a From address like that, if it *is* dropping the
>> email address within the comment a bug should be filed.
>>
> Already opened a bug. The fact that From: name =~ /\@/ didn't match is
> proof enough for me that something is wrong.
I can confirm we have a bug, I followed the instructions and this is
what I got.
header __ALL_FROMNAME From:name =~ /.*/
aoû 20 15:08:46.025 [3459] dbg: rules: ran header rule __ALL_FROMNAME
======> got hit: ""Mister President"
Thanks for your help, I will use the
From =~ /\@[^\@]*\@/
solution in the meantime.
I can attach the stripped e-mail to the bug if that helps.
Re: Hitting an address in the From:name
Posted by Joe Quinn <jq...@pccc.com>.
On 8/20/2015 2:56 PM, John Hardin wrote:
> On Thu, 20 Aug 2015, Olivier Coutu wrote:
>> I believe that SA may be removing the <pr...@company.com> part
>> from the From:name, am I correct?
>
> Define this rule:
>
> header __ALL_FROMNAME From:name =~ /.*/
>
> ...and run spamassassin on a test message using:
> --debug area=all,rules,rules-all
>
> You'll be able to see exactly what's available to match against.
>
> I'd suggest for a From address like that, if it *is* dropping the
> email address within the comment a bug should be filed.
>
Already opened a bug. The fact that From: name =~ /\@/ didn't match is
proof enough for me that something is wrong.
Re: Hitting an address in the From:name
Posted by John Hardin <jh...@impsec.org>.
On Thu, 20 Aug 2015, Olivier Coutu wrote:
> I got a spearphishing e-mail the other day that had a From with the following
> form:
>
> From: "Mister President <pr...@company.com>"
> <ph...@freemailer.com>
>
> I attempted to craft a SA rule to catch the "@" in the From:name but I was
> unable to catch anything after the "<"
> ex:
> From: name =~ /Mister President/ hits
> From: name =~ /Mister President \</ does not hit
> From: name =~ /\@/ does not hit
> From: name =~ /company/ does not hit
> From =~ /\@.*\@/ hits but is inefficient
More efficient, won't backtrack:
>From =~ /\@[^\@]*\@/
...but be aware that would also hit a From with multiple :addr parts
(which I have seen though rarely), which is also probably a good spam
sign.
> I believe that SA may be removing the <pr...@company.com> part from the
> From:name, am I correct?
Define this rule:
header __ALL_FROMNAME From:name =~ /.*/
...and run spamassassin on a test message using:
--debug area=all,rules,rules-all
You'll be able to see exactly what's available to match against.
I'd suggest for a From address like that, if it *is* dropping the email
address within the comment a bug should be filed.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
4 days until the 1936th anniversary of the destruction of Pompeii