You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mike Cisar <ml...@starmania.net> on 2008/12/06 18:17:46 UTC
Spam slipping through
Have recently been having 1000's of spam slipping past Spamassassin... they
all seem to be pretty much identical in format but Spamassassin isn't
scoring them even high enough to be tagged.
- they are all flagged as important
- a single line having so far have one of two common phrases followed by a
URL (always different) in the format <http://domain.com/> (angle brackets
included).
- the "from" always matches the "to" (so it always looks like its coming
from yourself)
I'm sure that at least some of the URL's or messages should be getting
caught somewhere by SpamAssassin, but they aren't. So I don't know if
there's something really crafty about the messages or what.
Would love to write a custom rule to take care of the problem if I need
to... but I'm cautious to write a rule based on the two phrases because they
are guaranteed to trigger a lot of false positive. I'm thinking it would
have to be a combination of the phrases, the important flag, the from
matching to... and something to match that URL format?
Anybody having problems with this spam, and figured out how to block it?
Thanks much!
>>>>> Mike <<<<<
Re: Spam slipping through
Posted by support <su...@buzzhost.co.uk>.
On Sat, 2008-12-06 at 10:17 -0700, Mike Cisar wrote:
> Have recently been having 1000's of spam slipping past Spamassassin... they
> all seem to be pretty much identical in format but Spamassassin isn't
> scoring them even high enough to be tagged.
>
> - they are all flagged as important
> - a single line having so far have one of two common phrases followed by a
> URL (always different) in the format <http://domain.com/> (angle brackets
> included).
> - the "from" always matches the "to" (so it always looks like its coming
> from yourself)
>
> I'm sure that at least some of the URL's or messages should be getting
> caught somewhere by SpamAssassin, but they aren't. So I don't know if
> there's something really crafty about the messages or what.
>
> Would love to write a custom rule to take care of the problem if I need
> to... but I'm cautious to write a rule based on the two phrases because they
> are guaranteed to trigger a lot of false positive. I'm thinking it would
> have to be a combination of the phrases, the important flag, the from
> matching to... and something to match that URL format?
>
> Anybody having problems with this spam, and figured out how to block it?
>
> Thanks much!
> >>>>> Mike <<<<<
>
>
Are the sending IP's on any block lists? Are you doing SPF checks?
Re: Spam slipping through
Posted by mouss <mo...@netoyen.net>.
Mike Cisar a écrit :
> Have recently been having 1000's of spam slipping past Spamassassin... they
> all seem to be pretty much identical in format but Spamassassin isn't
> scoring them even high enough to be tagged.
>
> - they are all flagged as important
> - a single line having so far have one of two common phrases followed by a
> URL (always different) in the format <http://domain.com/> (angle brackets
> included).
> - the "from" always matches the "to" (so it always looks like its coming
> from yourself)
>
> I'm sure that at least some of the URL's or messages should be getting
> caught somewhere by SpamAssassin, but they aren't. So I don't know if
> there's something really crafty about the messages or what.
>
> Would love to write a custom rule to take care of the problem if I need
> to... but I'm cautious to write a rule based on the two phrases because they
> are guaranteed to trigger a lot of false positive. I'm thinking it would
> have to be a combination of the phrases, the important flag, the from
> matching to... and something to match that URL format?
>
> Anybody having problems with this spam, and figured out how to block it?
>
post a sample on pastebin.com.
I've seen some that have
X-Mailer: %WORD_1 ....
ratware didn't substitute the variables! SA has rules for these).
if you receive mail via smtp directly (no forwarder, no fetching), then
consider using zen.spamhaus.org.
Re: Spam slipping through
Posted by mouss <mo...@netoyen.net>.
support a écrit :
> On Sat, 2008-12-06 at 23:45 -0500, Theo Van Dinter wrote:
>> On Sat, Dec 06, 2008 at 08:00:10PM -0800, John Hardin wrote:
>>> mechanism for. Devs: there've been wishes for this before; how hard
>>> would it be to add the ability to match on the substring match captured
>>> by another rule? Add a flag to say "capture the match for this rule" and
>>> a syntax for substituting that into the match RE of another rule, and
>>> dependency enforcement?
>> Non-trivial. Write a plugin, where it is trivial. :)
trivial indeed:
http://www.netoyen.net/sa/FromInTo.pm
1- very quickly tested (so: don't use it ;-p)
2- This checks for the from: header address in the envelope rcpt and in
the To: header. not sure this is what OP wanted.
>
> The implementation of it is not my concern. It's a pretty basic rule to
> require that addresses a commonly exploited spam attack vector.
having the same address in the From and To is also seen in legitimate mail:
- I send mail to myself
- some people use their address in the To when they Bcc many people
or do you mean comparing the addresses only if the domain is "yours"?
the other question is: would such a rule really help? how much spam will
it detect? I mean spam that is not detected or blocked by other means
(such as DNSBLs, helo check, ... etc).
> Do we
> just say 'We won't scan for that, it's too complicated'. It's kind of
> like not scanning anything over 150k for performance. Spammers make use
> of these shortcomings.
>
> On a different note here, there is starting to be an increase in spam
> over 150k. I'm seeing a slowly increasing amount of spam from Asia that
> is in the 1meg range. This would choke any rules based scanner in
> volume. With bandwidth now cheap (other peoples in particular if you are
> using a botnet) it's an increasing concern.
>
>
Re: Spam slipping through
Posted by support <su...@buzzhost.co.uk>.
On Sat, 2008-12-06 at 23:45 -0500, Theo Van Dinter wrote:
> On Sat, Dec 06, 2008 at 08:00:10PM -0800, John Hardin wrote:
> > mechanism for. Devs: there've been wishes for this before; how hard
> > would it be to add the ability to match on the substring match captured
> > by another rule? Add a flag to say "capture the match for this rule" and
> > a syntax for substituting that into the match RE of another rule, and
> > dependency enforcement?
>
> Non-trivial. Write a plugin, where it is trivial. :)
The implementation of it is not my concern. It's a pretty basic rule to
require that addresses a commonly exploited spam attack vector. Do we
just say 'We won't scan for that, it's too complicated'. It's kind of
like not scanning anything over 150k for performance. Spammers make use
of these shortcomings.
On a different note here, there is starting to be an increase in spam
over 150k. I'm seeing a slowly increasing amount of spam from Asia that
is in the 1meg range. This would choke any rules based scanner in
volume. With bandwidth now cheap (other peoples in particular if you are
using a botnet) it's an increasing concern.
Re: Spam slipping through
Posted by Theo Van Dinter <fe...@apache.org>.
On Sat, Dec 06, 2008 at 08:00:10PM -0800, John Hardin wrote:
> mechanism for. Devs: there've been wishes for this before; how hard
> would it be to add the ability to match on the substring match captured
> by another rule? Add a flag to say "capture the match for this rule" and
> a syntax for substituting that into the match RE of another rule, and
> dependency enforcement?
Non-trivial. Write a plugin, where it is trivial. :)
--
Randomly Selected Tagline:
"Advice is kind of like sex. It's not always good, it's not always free
and you don't always get from the person you want to get it from."
- Peter Liam Taylor
Re: Spam slipping through
Posted by John Hardin <jh...@impsec.org>.
On Sat, 2008-12-06 at 20:13 +0000, support wrote:
> Surely, by now, someone has come up with a simple regex rule or
> something that matches if the to & from are the same? Is this too
> obvious?
Unfortunately it's actually not that easy. It involves remembering a
matched substring across *two* rules, which ATM SA does not provide any
mechanism for. Devs: there've been wishes for this before; how hard
would it be to add the ability to match on the substring match captured
by another rule? Add a flag to say "capture the match for this rule" and
a syntax for substituting that into the match RE of another rule, and
dependency enforcement?
In lieu of that, if you're familiar with Perl you could write a plugin
to do what you suggest, or you could do something externally to generate
three rules per known user (or known valid email address) on your
system: one indirect for the To, one indirect for the From, and a meta
to AND them.
You could do it in sendmail.cf
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The yardstick you should use when considering whether to support a
given piece of legislation is "what if my worst enemy is chosen to
administer this law?"
-----------------------------------------------------------------------
9 days until Bill of Rights day
Re: Spam slipping through
Posted by support <su...@buzzhost.co.uk>.
On Sat, 2008-12-06 at 11:48 -0800, John Hardin wrote:
> On Sat, 6 Dec 2008, Mike Cisar wrote:
>
> > - the "from" always matches the "to" (so it always looks like its coming
> > from yourself)
>
> Silly, basic question: have you whitelist_from'd yourself? Baaad idea.
>
> SPF checks would catch that if you published SPF records for your domain.
> If you know that mail from your domain will ever only originate at your
> MTA, then you might do what I do: use milter-regex to reject at SMTP time
> any mail inbound from the internet that claims to come from your domain.
>
> http://www.impsec.org/~jhardin/antispam/
>
I love these spoofing mails - they are ace. Idea? Well, if you have an
obliging server with NDR's on, it's win win for the spammer. If it's
rejected and generates an NDR, the intended recipient still gets the
spam as an attachment in the NDR. Corking ;-)
Surely, by now, someone has come up with a simple regex rule or
something that matches if the to & from are the same? Is this too
obvious?
Re: Spam slipping through
Posted by John Hardin <jh...@impsec.org>.
On Sat, 6 Dec 2008, Mike Cisar wrote:
> - the "from" always matches the "to" (so it always looks like its coming
> from yourself)
Silly, basic question: have you whitelist_from'd yourself? Baaad idea.
SPF checks would catch that if you published SPF records for your domain.
If you know that mail from your domain will ever only originate at your
MTA, then you might do what I do: use milter-regex to reject at SMTP time
any mail inbound from the internet that claims to come from your domain.
http://www.impsec.org/~jhardin/antispam/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The yardstick you should use when considering whether to support a
given piece of legislation is "what if my worst enemy is chosen to
administer this law?"
-----------------------------------------------------------------------
9 days until Bill of Rights day