You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tony Finch <do...@dotat.at> on 2006/11/10 17:03:05 UTC
current stock scams are easy to spot
They have a forged Received: line which has a "by" field containing the
domain of the recipient address, a "for" field which matches the From:
header, and an "id" field of the form XXXXXX-XXXXXX-XX (similar to Exim's
queue IDs, though Exim IDs are always 1XXXXX-0XXXXX-XX).
Received: from [217.218.182.65] (port=2608 helo=shop-efe3045e89)
by sesame.csx.cam.ac.uk with esmtp (Exim 4.54)
id 1GiQmw-000Mmp-GM
for cvs@exim.org; Fri, 10 Nov 2006 07:27:18 +0000
Received: from 64.224.110.142 (HELO smtp.icom.com)
by exim.org with esmtp ()C8+DP.+1S -G2,0)
id C989<T-=Z,Z.0-09
for cvs@exim.org; Thu, 19 Jan 2006 07:28:02 -0210
From: "Eileen Mayer" <de...@briancurtis.com>
To: <cv...@exim.org>
Subject: hi cvs
Date: Thu, 19 Jan 2006 07:28:02 -0210
Message-ID: <01...@deboramcde>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Thread-Index: Aca6QB0)-/ZA;3SO+O/M?G<3G3C(7,==
Tony.
--
f.a.n.finch <do...@dotat.at> http://dotat.at/
FORTIES CROMARTY: SOUTHERLY VEERING WESTERLY 6 TO GALE 8, OCCASIONALLY SEVERE
GALE 9. VERY ROUGH. RAIN THEN SHOWERS. MODERATE OR GOOD.
Re: simple TZ test (Re: current stock scams are easy to spot)
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 16 Nov 2006, Christian Recktenwald wrote:
> On Wed, Nov 15, 2006 at 11:14:12PM -0600, David B Funk wrote:
> >
> > You're trying too hard.
> > Look at that 'Date:' header, they've got a bogus time-zone value.
> > It's syntactically RFC-2822 correct but nonsense.
> > (One of my favorites was "-0480" ;)
> >
> > Simple rule, so far no FPs:
> >
> > # bogus timzones in date (EG: Date: Wed, 15 Nov 2006 21:29:24 -0180 )
> > header L_SPAM_TOOL_13 Date =~ /\s[+-]\d\d[124-9]\d$/
> > describe L_SPAM_TOOL_13 Bogus time-zone
> > score L_SPAM_TOOL_13 3.1
>
> there are valid TZ values besides that:
>
> NEPAL +0545 (postings seen on this list)
> AUSTRALIA +0845 (ACWS)
> NEW ZEALAND +1245 (CHAST)
> NEW ZEALAND +1345 (CHADT)
>
> Also seen -0000
>
> [Sources: http://de.wikipedia.org/wiki/Zeitzone
> http://de.wikipedia.org/wiki/Zeitverschiebung
> http://www.ptb.de/de/org/4/44/441/zeit.htm
> http://en.wikipedia.org/wiki/Time_zone
> http://en.wikipedia.org/wiki/Time_in_Australia
> http://en.wikipedia.org/wiki/Time_in_New_Zealand
Thanks for the info, the only values that I kew had the form ..[03]0
thus the idea behind the rule. So time to augment it. ;)
Try:
header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: simple TZ test (Re: current stock scams are easy to spot)
Posted by Christian Recktenwald <sp...@citecs.de>.
On Wed, Nov 15, 2006 at 11:14:12PM -0600, David B Funk wrote:
>
> You're trying too hard.
> Look at that 'Date:' header, they've got a bogus time-zone value.
> It's syntactically RFC-2822 correct but nonsense.
> (One of my favorites was "-0480" ;)
>
> Simple rule, so far no FPs:
>
> # bogus timzones in date (EG: Date: Wed, 15 Nov 2006 21:29:24 -0180 )
> header L_SPAM_TOOL_13 Date =~ /\s[+-]\d\d[124-9]\d$/
> describe L_SPAM_TOOL_13 Bogus time-zone
> score L_SPAM_TOOL_13 3.1
there are valid TZ values besides that:
NEPAL +0545 (postings seen on this list)
AUSTRALIA +0845 (ACWS)
NEW ZEALAND +1245 (CHAST)
NEW ZEALAND +1345 (CHADT)
Also seen -0000
[Sources: http://de.wikipedia.org/wiki/Zeitzone
http://de.wikipedia.org/wiki/Zeitverschiebung
http://www.ptb.de/de/org/4/44/441/zeit.htm
http://en.wikipedia.org/wiki/Time_zone
http://en.wikipedia.org/wiki/Time_in_Australia
http://en.wikipedia.org/wiki/Time_in_New_Zealand
]
--
Christian Recktenwald : :
citecs GmbH i.L. : spamassassin-talk-dist@citecs.de
Unternehmensberatung fuer : voice +49 711 601 2090 : Boeblinger Strasse 189
EDV und Telekommunikation : fax +49 711 601 2092 : D-70199 Stuttgart
simple TZ test (Re: current stock scams are easy to spot)
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 10 Nov 2006, Tony Finch wrote:
>
> They have a forged Received: line which has a "by" field containing the
> domain of the recipient address, a "for" field which matches the From:
> header, and an "id" field of the form XXXXXX-XXXXXX-XX (similar to Exim's
> queue IDs, though Exim IDs are always 1XXXXX-0XXXXX-XX).
>
>
> Received: from [217.218.182.65] (port=2608 helo=shop-efe3045e89)
> by sesame.csx.cam.ac.uk with esmtp (Exim 4.54)
> id 1GiQmw-000Mmp-GM
> for cvs@exim.org; Fri, 10 Nov 2006 07:27:18 +0000
> Received: from 64.224.110.142 (HELO smtp.icom.com)
> by exim.org with esmtp ()C8+DP.+1S -G2,0)
> id C989<T-=Z,Z.0-09
> for cvs@exim.org; Thu, 19 Jan 2006 07:28:02 -0210
> From: "Eileen Mayer" <de...@briancurtis.com>
> To: <cv...@exim.org>
> Subject: hi cvs
> Date: Thu, 19 Jan 2006 07:28:02 -0210
> Message-ID: <01...@deboramcde>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> Thread-Index: Aca6QB0)-/ZA;3SO+O/M?G<3G3C(7,==
You're trying too hard.
Look at that 'Date:' header, they've got a bogus time-zone value.
It's syntactically RFC-2822 correct but nonsense.
(One of my favorites was "-0480" ;)
Simple rule, so far no FPs:
# bogus timzones in date (EG: Date: Wed, 15 Nov 2006 21:29:24 -0180 )
header L_SPAM_TOOL_13 Date =~ /\s[+-]\d\d[124-9]\d$/
describe L_SPAM_TOOL_13 Bogus time-zone
score L_SPAM_TOOL_13 3.1
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: current stock scams are easy to spot
Posted by Loren Wilton <lw...@earthlink.net>.
> Well, that's all fine and dandy, but what do we do about them?
> Since we know they all have a common element, we need to figure out a way
> to stop them using that info.
Well, just from the description and knowing the existance of "header ALL",
it would be pretty trivial to write about three rules involving a capturing
clause to do the matching.
Loren
Re: current stock scams are easy to spot
Posted by Steve Lake <st...@raiden.net>.
Well, that's all fine and dandy, but what do we do about
them? Since we know they all have a common element, we need to figure out
a way to stop them using that info.
At 04:03 PM 11/10/2006 +0000, Tony Finch wrote:
>They have a forged Received: line which has a "by" field containing the
>domain of the recipient address, a "for" field which matches the From:
>header, and an "id" field of the form XXXXXX-XXXXXX-XX (similar to Exim's
>queue IDs, though Exim IDs are always 1XXXXX-0XXXXX-XX).
Steven Lake
Owner/Technical Writer
Raiden's Realm
www.raiden.net
A friendly web community