You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Tony Finch <do...@dotat.at> on 2006/11/10 17:03:05 UTC

current stock scams are easy to spot

They have a forged Received: line which has a "by" field containing the
domain of the recipient address, a "for" field which matches the From:
header, and an "id" field of the form XXXXXX-XXXXXX-XX (similar to Exim's
queue IDs, though Exim IDs are always 1XXXXX-0XXXXX-XX).


Received: from [217.218.182.65] (port=2608 helo=shop-efe3045e89)
    by sesame.csx.cam.ac.uk with esmtp (Exim 4.54)
    id 1GiQmw-000Mmp-GM
    for cvs@exim.org; Fri, 10 Nov 2006 07:27:18 +0000
Received: from 64.224.110.142 (HELO smtp.icom.com)
     by exim.org with esmtp ()C8+DP.+1S -G2,0)
     id C989<T-=Z,Z.0-09
     for cvs@exim.org; Thu, 19 Jan 2006 07:28:02 -0210
From: "Eileen Mayer" <de...@briancurtis.com>
To: <cv...@exim.org>
Subject: hi cvs
Date: Thu, 19 Jan 2006 07:28:02 -0210
Message-ID: <01...@deboramcde>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Thread-Index: Aca6QB0)-/ZA;3SO+O/M?G<3G3C(7,==


Tony.
-- 
f.a.n.finch  <do...@dotat.at>  http://dotat.at/
FORTIES CROMARTY: SOUTHERLY VEERING WESTERLY 6 TO GALE 8, OCCASIONALLY SEVERE
GALE 9. VERY ROUGH. RAIN THEN SHOWERS. MODERATE OR GOOD.

Re: simple TZ test (Re: current stock scams are easy to spot)

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Thu, 16 Nov 2006, Christian Recktenwald wrote:

> On Wed, Nov 15, 2006 at 11:14:12PM -0600, David B Funk wrote:
> >
> > You're trying too hard.
> > Look at that 'Date:' header, they've got a bogus time-zone value.
> > It's syntactically RFC-2822 correct but nonsense.
> > (One of my favorites was "-0480" ;)
> >
> > Simple rule, so far no FPs:
> >
> > # bogus timzones in date (EG: Date: Wed, 15 Nov 2006 21:29:24 -0180 )
> > header L_SPAM_TOOL_13   Date =~ /\s[+-]\d\d[124-9]\d$/
> > describe L_SPAM_TOOL_13 Bogus time-zone
> > score L_SPAM_TOOL_13    3.1
>
> there are valid TZ values besides that:
>
> 	NEPAL       +0545  (postings seen on this list)
> 	AUSTRALIA   +0845 (ACWS)
> 	NEW ZEALAND +1245 (CHAST)
> 	NEW ZEALAND +1345 (CHADT)
>
> 	Also seen   -0000
>
> [Sources: http://de.wikipedia.org/wiki/Zeitzone
>           http://de.wikipedia.org/wiki/Zeitverschiebung
> 		  http://www.ptb.de/de/org/4/44/441/zeit.htm
> 		  http://en.wikipedia.org/wiki/Time_zone
> 		  http://en.wikipedia.org/wiki/Time_in_Australia
> 		  http://en.wikipedia.org/wiki/Time_in_New_Zealand

Thanks for the info, the only values that I kew had the form ..[03]0
thus the idea behind the rule. So time to augment it. ;)
Try:

header L_SPAM_TOOL_13   Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: simple TZ test (Re: current stock scams are easy to spot)

Posted by Christian Recktenwald <sp...@citecs.de>.

On Wed, Nov 15, 2006 at 11:14:12PM -0600, David B Funk wrote:
> 
> You're trying too hard.
> Look at that 'Date:' header, they've got a bogus time-zone value.
> It's syntactically RFC-2822 correct but nonsense.
> (One of my favorites was "-0480" ;)
> 
> Simple rule, so far no FPs:
> 
> # bogus timzones in date (EG: Date: Wed, 15 Nov 2006 21:29:24 -0180 )
> header L_SPAM_TOOL_13   Date =~ /\s[+-]\d\d[124-9]\d$/
> describe L_SPAM_TOOL_13 Bogus time-zone
> score L_SPAM_TOOL_13    3.1

there are valid TZ values besides that:

	NEPAL       +0545  (postings seen on this list)
	AUSTRALIA   +0845 (ACWS)
	NEW ZEALAND +1245 (CHAST)
	NEW ZEALAND +1345 (CHADT)

	Also seen   -0000

[Sources: http://de.wikipedia.org/wiki/Zeitzone
          http://de.wikipedia.org/wiki/Zeitverschiebung
		  http://www.ptb.de/de/org/4/44/441/zeit.htm 
		  http://en.wikipedia.org/wiki/Time_zone
		  http://en.wikipedia.org/wiki/Time_in_Australia
		  http://en.wikipedia.org/wiki/Time_in_New_Zealand
]

-- 
Christian Recktenwald      :                         :
citecs GmbH i.L.           : spamassassin-talk-dist@citecs.de
Unternehmensberatung fuer  : voice +49 711 601 2090  : Boeblinger Strasse 189
EDV und Telekommunikation  : fax   +49 711 601 2092  : D-70199 Stuttgart

simple TZ test (Re: current stock scams are easy to spot)

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Fri, 10 Nov 2006, Tony Finch wrote:

>
> They have a forged Received: line which has a "by" field containing the
> domain of the recipient address, a "for" field which matches the From:
> header, and an "id" field of the form XXXXXX-XXXXXX-XX (similar to Exim's
> queue IDs, though Exim IDs are always 1XXXXX-0XXXXX-XX).
>
>
> Received: from [217.218.182.65] (port=2608 helo=shop-efe3045e89)
>     by sesame.csx.cam.ac.uk with esmtp (Exim 4.54)
>     id 1GiQmw-000Mmp-GM
>     for cvs@exim.org; Fri, 10 Nov 2006 07:27:18 +0000
> Received: from 64.224.110.142 (HELO smtp.icom.com)
>      by exim.org with esmtp ()C8+DP.+1S -G2,0)
>      id C989<T-=Z,Z.0-09
>      for cvs@exim.org; Thu, 19 Jan 2006 07:28:02 -0210
> From: "Eileen Mayer" <de...@briancurtis.com>
> To: <cv...@exim.org>
> Subject: hi cvs
> Date: Thu, 19 Jan 2006 07:28:02 -0210
> Message-ID: <01...@deboramcde>
> MIME-Version: 1.0
> Content-Type: text/plain;
>     charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> Thread-Index: Aca6QB0)-/ZA;3SO+O/M?G<3G3C(7,==


You're trying too hard.
Look at that 'Date:' header, they've got a bogus time-zone value.
It's syntactically RFC-2822 correct but nonsense.
(One of my favorites was "-0480" ;)

Simple rule, so far no FPs:

# bogus timzones in date (EG: Date: Wed, 15 Nov 2006 21:29:24 -0180 )
header L_SPAM_TOOL_13   Date =~ /\s[+-]\d\d[124-9]\d$/
describe L_SPAM_TOOL_13 Bogus time-zone
score L_SPAM_TOOL_13    3.1




-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: current stock scams are easy to spot

Posted by Loren Wilton <lw...@earthlink.net>.

>         Well, that's all fine and dandy, but what do we do about them? 
> Since we know they all have a common element, we need to figure out a way 
> to stop them using that info.

Well, just from the description and knowing the existance of "header ALL", 
it would be pretty trivial to write about three rules involving a capturing 
clause to do the matching.

        Loren

Re: current stock scams are easy to spot

Posted by Steve Lake <st...@raiden.net>.

         Well, that's all fine and dandy, but what do we do about 
them?  Since we know they all have a common element, we need to figure out 
a way to stop them using that info.

At 04:03 PM 11/10/2006 +0000, Tony Finch wrote:

>They have a forged Received: line which has a "by" field containing the
>domain of the recipient address, a "for" field which matches the From:
>header, and an "id" field of the form XXXXXX-XXXXXX-XX (similar to Exim's
>queue IDs, though Exim IDs are always 1XXXXX-0XXXXX-XX).

Steven Lake
Owner/Technical Writer
Raiden's Realm
www.raiden.net
A friendly web community