You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Sebastian Arcus <s....@open-t.co.uk> on 2018/04/02 12:06:07 UTC
FUZZY_XPILL FP hitting all Travelodge emails
I have a client which handles a lot of hotel bookings as part of their
work - and all hotel booking confirmations coming from Travelodge (a UK
hotel chain) hit FUZZY_XPILL.
I've tried looking at the regex of the rule, but can't quite get my head
around what it is supposed to do, and can't figure out why it triggers
on all the Travelodge emails either. Could anybody provide some hints -
or have others seen this as well? I can provide some sample mail, if it
helps. Thank you.
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by John Hardin <jh...@impsec.org>.
On Thu, 5 Apr 2018, Kris Deugau wrote:
> Alex wrote:
>
>> We're also seeing it hit mailer-daemon emails.
>>
>> https://pastebin.com/raw/UXnzEN8U
>>
>> This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect)
>> and when I re-ran it here locally, FUZZY_DR_OZ.
>>
>> The problem is that it's hitting on the mime attachments which are
>> apparently treated as body text in mailer-daemon emails.
>>
>> ran body rule FUZZY_AMBIEN ======> got hit: "GRm8iEn"
>> ran body rule __FUZZY_DR_OZ ======> got hit: "DGCGS+"
>> ran body rule FUZZY_XPILL ======> got hit: "xxgnoX"
>
> If you look closely I expect you'll find that those are "poorly formatted"
> postmaster notices; ie, any content from the original message is NOT
> actually wrapped up in a separate MIME part, it's just another blob of text
> stuffed in beside the actual postmaster notice info.
Even so, I'm surprised the Dr Oz rule hit *that*. I'll review it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
At $8 billion per year, the TSA is the most expensive
theatrical production in history. -- David Burge @iowahawkblog
-----------------------------------------------------------------------
8 days until Thomas Jefferson's 275th Birthday
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Kris Deugau <kd...@vianet.ca>.
Alex wrote:
> We're also seeing it hit mailer-daemon emails.
>
> https://pastebin.com/raw/UXnzEN8U
>
> This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect)
> and when I re-ran it here locally, FUZZY_DR_OZ.
>
> The problem is that it's hitting on the mime attachments which are
> apparently treated as body text in mailer-daemon emails.
>
> ran body rule FUZZY_AMBIEN ======> got hit: "GRm8iEn"
> ran body rule __FUZZY_DR_OZ ======> got hit: "DGCGS+"
> ran body rule FUZZY_XPILL ======> got hit: "xxgnoX"
If you look closely I expect you'll find that those are "poorly
formatted" postmaster notices; ie, any content from the original
message is NOT actually wrapped up in a separate MIME part, it's just
another blob of text stuffed in beside the actual postmaster notice info.
From the pastebin:
> Hi. This is the qmail-send program
... yep. qmail is one of the MTAs that deliberately breaks MIME
layering in its notices.
-kgd
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Alex <my...@gmail.com>.
Hi,
On Mon, Apr 2, 2018 at 8:10 AM, Kevin A. McGrail <km...@apache.org> wrote:
> Pastebin a sample(s).
We're also seeing it hit mailer-daemon emails.
https://pastebin.com/raw/UXnzEN8U
This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect)
and when I re-ran it here locally, FUZZY_DR_OZ.
The problem is that it's hitting on the mime attachments which are
apparently treated as body text in mailer-daemon emails.
ran body rule FUZZY_AMBIEN ======> got hit: "GRm8iEn"
ran body rule __FUZZY_DR_OZ ======> got hit: "DGCGS+"
ran body rule FUZZY_XPILL ======> got hit: "xxgnoX"
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Giles Coochey <gi...@coochey.net>.
>>> It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT"
>>>
>>> It's an aggressive rule that finds anything that might be an
>>> obfuscated Xanax. It only scores 0.8 points because it can produce FPs
>>> like this.
>>
>> Actually that is my private, custom score. I think the default is 2.8
>> or something like that.
>
> *@travelodge.co.uk emails should be scoring much lower in SA around
> the Internet running sa-update regularly as long as there is an
> SPF_PASS and/or DKIM_VALID_AU hits.
>
> Setup OpenDKIM and DKIM signing on those outbound emails for even
> better delivery results. This applies to any domain.
>
> I highly recommend setting up DMARC reporting to everyone out there to
> get feedback on your SPF and DKIM results. It can be very interesting
> to see who is trying to spoof your domain and who is auto-forwarding
> your emails.
>
I stay at Travelodge regularly, it doesn't hit their marketing emails,
but Booking Confirmations and Invoices, come out with the following for me:
X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00,FUZZY_XPILL,
HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,T_FILL_THIS_FORM_SHORT,
T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report:
* -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
* domain
* 2.8 FUZZY_XPILL BODY: Attempt to obfuscate words in spam
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
* background
* 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
* information
* -0.3 AWL AWL: Adjusted score from AWL reputation of From: address
It is still a bit way off before it could be considered SPAM.
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Giles Coochey <gi...@netsecspec.co.uk>.
>>> It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT"
>>>
>>> It's an aggressive rule that finds anything that might be an
>>> obfuscated Xanax. It only scores 0.8 points because it can produce FPs
>>> like this.
>>
>> Actually that is my private, custom score. I think the default is 2.8
>> or something like that.
>
> *@travelodge.co.uk emails should be scoring much lower in SA around
> the Internet running sa-update regularly as long as there is an
> SPF_PASS and/or DKIM_VALID_AU hits.
>
> Setup OpenDKIM and DKIM signing on those outbound emails for even
> better delivery results. This applies to any domain.
>
> I highly recommend setting up DMARC reporting to everyone out there to
> get feedback on your SPF and DKIM results. It can be very interesting
> to see who is trying to spoof your domain and who is auto-forwarding
> your emails.
>
I stay at Travelodge regularly, it doesn't hit their marketing emails,
but Booking Confirmations and Invoices, come out with the following for me:
X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00,FUZZY_XPILL,
HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,T_FILL_THIS_FORM_SHORT,
T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report:
* -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
* domain
* 2.8 FUZZY_XPILL BODY: Attempt to obfuscate words in spam
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
* background
* 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
* information
* -0.3 AWL AWL: Adjusted score from AWL reputation of From: address
It is still a bit way off before it could be considered SPAM.
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by David Jones <dj...@ena.com>.
On 04/02/2018 09:50 AM, Sebastian Arcus wrote:
>
> On 02/04/18 14:58, RW wrote:
>> On Mon, 2 Apr 2018 08:26:27 -0500
>> David Jones wrote:
>>
>>> On 04/02/2018 07:18 AM, Sebastian Arcus wrote:
>>>> Thank you - one example here: https://pastebin.com/UGStfCys
>>
>> It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT"
>>
>> It's an aggressive rule that finds anything that might be an
>> obfuscated Xanax. It only scores 0.8 points because it can produce FPs
>> like this.
>
> Actually that is my private, custom score. I think the default is 2.8 or
> something like that.
*@travelodge.co.uk emails should be scoring much lower in SA around the
Internet running sa-update regularly as long as there is an SPF_PASS
and/or DKIM_VALID_AU hits.
Setup OpenDKIM and DKIM signing on those outbound emails for even better
delivery results. This applies to any domain.
I highly recommend setting up DMARC reporting to everyone out there to
get feedback on your SPF and DKIM results. It can be very interesting
to see who is trying to spoof your domain and who is auto-forwarding
your emails.
--
David Jones
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 02/04/18 14:58, RW wrote:
> On Mon, 2 Apr 2018 08:26:27 -0500
> David Jones wrote:
>
>> On 04/02/2018 07:18 AM, Sebastian Arcus wrote:
>>> Thank you - one example here: https://pastebin.com/UGStfCys
>
> It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT"
>
> It's an aggressive rule that finds anything that might be an
> obfuscated Xanax. It only scores 0.8 points because it can produce FPs
> like this.
Actually that is my private, custom score. I think the default is 2.8 or
something like that.
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by RW <rw...@googlemail.com>.
On Mon, 2 Apr 2018 08:26:27 -0500
David Jones wrote:
> On 04/02/2018 07:18 AM, Sebastian Arcus wrote:
> > Thank you - one example here: https://pastebin.com/UGStfCys
It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT"
It's an aggressive rule that finds anything that might be an
obfuscated Xanax. It only scores 0.8 points because it can produce FPs
like this.
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 02/04/18 14:26, David Jones wrote:
> On 04/02/2018 07:18 AM, Sebastian Arcus wrote:
>> Thank you - one example here: https://pastebin.com/UGStfCys
>>
>>
>> On 02/04/18 13:10, Kevin A. McGrail wrote:
>>> Pastebin a sample(s).
>>>
>>> On Mon, Apr 2, 2018, 08:06 Sebastian Arcus <s.arcus@open-t.co.uk
>>> <ma...@open-t.co.uk>> wrote:
>>>
>>> I have a client which handles a lot of hotel bookings as part of
>>> their
>>> work - and all hotel booking confirmations coming from Travelodge
>>> (a UK
>>> hotel chain) hit FUZZY_XPILL.
>>>
>>> I've tried looking at the regex of the rule, but can't quite get
>>> my head
>>> around what it is supposed to do, and can't figure out why it
>>> triggers
>>> on all the Travelodge emails either. Could anybody provide some
>>> hints -
>>> or have others seen this as well? I can provide some sample mail,
>>> if it
>>> helps. Thank you.
>>>
>
> I have added an entry to 60_whitelist_auth.cf to help with this in all
> SA instances that run sa-update regularly. This will be out there in a
> couple of days trusting email from that sender when there is an SPF_PASS
> or DKIM_VALID_AU hit.
>
> def_whitelist_auth *@travelodge.co.uk
>
> These emails from Travelodge are important enough to be DKIM signed as
> well for http://dkimwl.org which I would eventually like to get added to
> the default SA ruleset.
Thank you very much for the fix and for the quick replies.
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by David Jones <dj...@ena.com>.
On 04/02/2018 07:18 AM, Sebastian Arcus wrote:
> Thank you - one example here: https://pastebin.com/UGStfCys
>
>
> On 02/04/18 13:10, Kevin A. McGrail wrote:
>> Pastebin a sample(s).
>>
>> On Mon, Apr 2, 2018, 08:06 Sebastian Arcus <s.arcus@open-t.co.uk
>> <ma...@open-t.co.uk>> wrote:
>>
>> I have a client which handles a lot of hotel bookings as part of
>> their
>> work - and all hotel booking confirmations coming from Travelodge
>> (a UK
>> hotel chain) hit FUZZY_XPILL.
>>
>> I've tried looking at the regex of the rule, but can't quite get
>> my head
>> around what it is supposed to do, and can't figure out why it
>> triggers
>> on all the Travelodge emails either. Could anybody provide some
>> hints -
>> or have others seen this as well? I can provide some sample mail,
>> if it
>> helps. Thank you.
>>
I have added an entry to 60_whitelist_auth.cf to help with this in all
SA instances that run sa-update regularly. This will be out there in a
couple of days trusting email from that sender when there is an SPF_PASS
or DKIM_VALID_AU hit.
def_whitelist_auth *@travelodge.co.uk
These emails from Travelodge are important enough to be DKIM signed as
well for http://dkimwl.org which I would eventually like to get added to
the default SA ruleset.
--
David Jones
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 02/04/18 13:35, Pedro David Marco wrote:
> Sebastian,
>
> can you run
>
> spamassassin -D -t </youremail.eml 2>&1 | grep got | grep FUZZY_XPILL
>
>
> and post the result, please?
Hi Pedro. Please find the output below:
Apr 2 15:45:59.961 [6928] dbg: rules: ran body rule FUZZY_XPILL ======>
got hit: "xon, OX"
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Pedro David Marco <pe...@yahoo.com>.
Sebastian,
can you run
spamassassin -D -t </youremail.eml 2>&1 | grep got | grep FUZZY_XPILL
and post the result, please?
----PedroD
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by Sebastian Arcus <s....@open-t.co.uk>.
Thank you - one example here: https://pastebin.com/UGStfCys
On 02/04/18 13:10, Kevin A. McGrail wrote:
> Pastebin a sample(s).
>
> On Mon, Apr 2, 2018, 08:06 Sebastian Arcus <s.arcus@open-t.co.uk
> <ma...@open-t.co.uk>> wrote:
>
> I have a client which handles a lot of hotel bookings as part of their
> work - and all hotel booking confirmations coming from Travelodge (a UK
> hotel chain) hit FUZZY_XPILL.
>
> I've tried looking at the regex of the rule, but can't quite get my head
> around what it is supposed to do, and can't figure out why it triggers
> on all the Travelodge emails either. Could anybody provide some hints -
> or have others seen this as well? I can provide some sample mail, if it
> helps. Thank you.
>
Re: FUZZY_XPILL FP hitting all Travelodge emails
Posted by "Kevin A. McGrail" <km...@apache.org>.
Pastebin a sample(s).
On Mon, Apr 2, 2018, 08:06 Sebastian Arcus <s....@open-t.co.uk> wrote:
> I have a client which handles a lot of hotel bookings as part of their
> work - and all hotel booking confirmations coming from Travelodge (a UK
> hotel chain) hit FUZZY_XPILL.
>
> I've tried looking at the regex of the rule, but can't quite get my head
> around what it is supposed to do, and can't figure out why it triggers
> on all the Travelodge emails either. Could anybody provide some hints -
> or have others seen this as well? I can provide some sample mail, if it
> helps. Thank you.
>