You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeremy Morton <ad...@game-point.net> on 2009/06/21 12:04:03 UTC
A difficult one to weed out?
OK, so I just got one of those www medsXX com spams, and even though it
hit my rule and got 2.0 added to it, it still didn't even get over 3
points. Looks like it was sent from quite a legit host. What rules do
other people get matching for this e-mail?
http://pastebin.com/m3b9629b6
Best regards,
Jeremy Morton (Jez)
Re: A difficult one to weed out?
Posted by John Wilcock <jo...@tradoc.fr>.
Le 21/06/2009 12:04, Jeremy Morton a écrit :
> OK, so I just got one of those www medsXX com spams, and even though it
> hit my rule and got 2.0 added to it, it still didn't even get over 3
> points. Looks like it was sent from quite a legit host. What rules do
> other people get matching for this e-mail?
>
> http://pastebin.com/m3b9629b6
To add to other suggestions, this also hits a useful meta rule I've been
trying recently (both the subrules are in standard SA 3.2.5):
meta RDNS_NONE_DIRECT_MX (__DOS_DIRECT_TO_MX && RDNS_NONE)
This may get an occasional FP from senders with poorly configured
servers (or temporary DNS problems), so don't score it too high.
John.
--
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
Re: A difficult one to weed out?
Posted by Cedric Knight <ce...@gn.apc.org>.
Jeremy Morton wrote:
> OK, so I just got one of those www medsXX com spams, and even though it
> hit my rule and got 2.0 added to it, it still didn't even get over 3
> points. Looks like it was sent from quite a legit host. What rules do
> other people get matching for this e-mail?
>
> http://pastebin.com/m3b9629b6
The IP and hashes scores 21.8 for me.
besides the standard DCC_CHECK, I'm getting hits on the following
non-standard RBLs:
190.244.172.161 listed in hostkarma.junkemailfilter.com
190.244.172.161 listed in uceprotect-level2.dnsbl
190.244.172.161 listed in bb.barracudacentral.org
190.244.172.161 listed in ix.dnsbl.manitu.net
iXhash found @ ix.dnsbl.manitu.net
Maybe you had a DNS problem when it went through, or you were unlucky
enough to be first on the spammer's list.
Here's a (somewhat unreadable) rule I wrote that doesn't have a great
spam ratio on its own, but can be useful in botnet meta rules:
header NOMATCH_NICK_FROM From =~
/^"?(([A-Z])[a-z][a-z])\w*(?:\s(?:(([A-Z])[a-z][a-z])\w*\s|([A-Z])\.?\s)?(([A-Z])[a-z][a-z])\w*)?"?\s*<(?![a-zA-Z1-9\.\-]*(?:\1|\3|\6))(?!.?\2(?:\4|\5)?.?\7).*?\@(?!.?\2-?(?:\4)?\-?\7)(?![a-zA-Z1-9\.\-]*(?:\1|\3|\6))(?!postmaster\@)(?!mailer-daemon\@)/i
describe NOMATCH_NICK_FROM From address with no part of name
score NOMATCH_NICK_FROM 1.0
The idea is to catch random real names attached to random valid email
addresses.
HTH
CK
Re: A difficult one to weed out?
Posted by Anthony Peacock <a....@chime.ucl.ac.uk>.
Jeremy Morton wrote:
> OK, so I just got one of those www medsXX com spams, and even though it
> hit my rule and got 2.0 added to it, it still didn't even get over 3
> points. Looks like it was sent from quite a legit host. What rules do
> other people get matching for this e-mail?
>
> http://pastebin.com/m3b9629b6
Content analysis details: (7.8 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[190.244.172.161 listed in zen.spamhaus.org]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
0.1 BOTNET_BADDNS Relay doesn't have full circle DNS
[botnet_baddns,ip=190.244.172.161,rdns=161-172-244-190.fibertel.com.ar]
1.5 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=190.244.172.161,rdns=161-172-244-190.fibertel.com.ar,baddns,client,ipinhostname]
0.1 BOTNET_IPINHOSTNAME Hostname contains its own IP address
[botnet_ipinhosntame,ip=190.244.172.161,rdns=161-172-244-190.fibertel.com.ar]
0.1 BOTNET_CLIENT Relay has a client-like hostname
[botnet_client,ip=190.244.172.161,rdns=161-172-244-190.fibertel.com.ar,ipinhostname]
0.5 CTYME_IXHASH BODY: BiXhash found @ ctyme.ixhash.ne
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5555]
0.5 GENERIC_IXHASH BODY: iXhash found @ generic.ixhash.net
0.5 NIXSPAM_IXHASH BODY: iXhash found @ ix.dnsbl.manitu.net
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.1 RDNS_NONE Delivered to trusted network by a host with
no rDNS
--
Anthony Peacock
CHIME, UCL Medical School
WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
Study Health Informatics - Modular Postgraduate Degree
http://www.chime.ucl.ac.uk/study-health-informatics/
Re: A difficult one to weed out?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Sun, 2009-06-21 at 13:35 +0200, Benny Pedersen wrote:
> On Sun, June 21, 2009 13:23, Jeremy Morton wrote:
> > My SpamAssassin apparently isn't checking this blocklist; how do I get
> > it to?
>
> cbl is part of zen.spamhaus.org, but some ips is not in sync that fast, so
> check cbl in mta level, this can be done in exim to
>
> http://cbl.abuseat.org/faq.html
>
Two approaches jump out here;
1. 190.244.172.161 listed in PBL (SPAMHAUS)
I can't speak highly enough of the much under rated PBL. Don't even let
PBL listed IP's waste your time connecting. Knock them out on your MTA
before SA has to look at them.
[START RANT] Time and time again ranges you would expect to see on sorbs
are 'out of scope' or just plain missed. (That is one rubbish bl IMHO)
[END RANT]
It is now listed with all of these but I suspect some or all may have
been reactive.
190.244.172.161 listed in b.barracudacentral.org.
190.244.172.161 listed in XBL NJABL
190.244.172.161 listed in cbl.abuseat.org.
190.244.172.161 listed in bl.spamcannibal.org.
190.244.172.161 listed in ix.dnsbl.manitu.net.
2. helo=xwrfsfo.fibertel.com.ar - how much legitimate mail are you
expecting from Argentina? If you were to find a customer or contact out
there, would you ship there?
Re: A difficult one to weed out?
Posted by Benny Pedersen <me...@junc.org>.
On Sun, June 21, 2009 13:23, Jeremy Morton wrote:
> My SpamAssassin apparently isn't checking this blocklist; how do I get
> it to?
cbl is part of zen.spamhaus.org, but some ips is not in sync that fast, so
check cbl in mta level, this can be done in exim to
http://cbl.abuseat.org/faq.html
--
xpoint
Re: A difficult one to weed out?
Posted by Roger Marquis <ma...@roble.com>.
LuKreme wrote:
>> <PLUG>PostConf http://www.postconf.com for example.</PLUG>
>
> Looks interesting, but not FreBSD demo :/
Waiting only for a postfix port with an "overwrites-base" option.
The code itself works with any postfix home directory.
Roger Marquis
Re: A difficult one to weed out?
Posted by Benny Pedersen <me...@junc.org>.
On Thu, June 25, 2009 11:08, LuKreme wrote:
> On 24-Jun-2009, at 08:20, Roger Marquis wrote:
>> <PLUG>PostConf http://www.postconf.com for example.</PLUG>
> Looks interesting, but not FreBSD demo :/
yes freebsd does not have the above problem :)
--
xpoint
Re: A difficult one to weed out?
Posted by Benny Pedersen <me...@junc.org>.
On Thu, June 25, 2009 11:22, richard@buzzhost.co.uk wrote:
> On Thu, 2009-06-25 at 03:08 -0600, LuKreme wrote:
>> On 24-Jun-2009, at 08:20, Roger Marquis wrote:
>> > <PLUG>PostConf http://www.postconf.com for example.</PLUG>
>> Looks interesting, but not FreBSD demo :/
> Webmin?
> http://www.webmin.com/
i remember one time i have shorewall/webmin combo worked nicely in some
versions, but webmin devs give up with shorewall, to much changed in each
version of shorewall of lately
so my point, make sure both is stable before use and that it does not
screewup your hobby :)
--
xpoint
Re: A difficult one to weed out?
Posted by LuKreme <kr...@kreme.com>.
On 25-Jun-2009, at 06:51, Benny Pedersen wrote:
> On Thu, June 25, 2009 12:14, LuKreme wrote:
>> I've used webmin, and have it installed. It is not luser friendly
>> though.
>
> http://www.webmin.com/index6.html usermin is for you then :)
Yeah, I was counting usermin as part of webmin. Just because it's
named "user" doesn’t mean it's luser friendly. OTOH, it's been a
couple of years, i can look at it again.
--
Love seekest only self to please, To bind another to its delight
Joys in another's loss of ease And builds a hell in Heaven's
despite!
Re: A difficult one to weed out?
Posted by Benny Pedersen <me...@junc.org>.
On Thu, June 25, 2009 12:14, LuKreme wrote:
> I've used webmin, and have it installed. It is not luser friendly
> though.
http://www.webmin.com/index6.html usermin is for you then :)
--
xpoint
Re: A difficult one to weed out?
Posted by LuKreme <kr...@kreme.com>.
On 25-Jun-2009, at 03:22, richard@buzzhost.co.uk wrote:
> On Thu, 2009-06-25 at 03:08 -0600, LuKreme wrote:
>> On 24-Jun-2009, at 08:20, Roger Marquis wrote:
>>> <PLUG>PostConf http://www.postconf.com for example.</PLUG>
>>
>> Looks interesting, but not FreBSD demo :/
>>
> Webmin?
>
> http://www.webmin.com/
I've used webmin, and have it installed. It is not luser friendly
though.
--
Strange things are afoot at the Circle K
Re: A difficult one to weed out?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Thu, 2009-06-25 at 03:08 -0600, LuKreme wrote:
> On 24-Jun-2009, at 08:20, Roger Marquis wrote:
> > <PLUG>PostConf http://www.postconf.com for example.</PLUG>
>
>
> Looks interesting, but not FreBSD demo :/
>
Webmin?
http://www.webmin.com/
Re: A difficult one to weed out?
Posted by LuKreme <kr...@kreme.com>.
On 24-Jun-2009, at 08:20, Roger Marquis wrote:
> <PLUG>PostConf http://www.postconf.com for example.</PLUG>
Looks interesting, but not FreBSD demo :/
--
There is no Humpty Dumpty, and there is no God. None, not
one, no God, never was.
Re: A difficult one to weed out?
Posted by Roger Marquis <ma...@roble.com>.
Jeremy Morton wrote:
> ... cPanel... or any web-based server config software, for that
> matter. They (unsurprisingly) allow you to do a bunch of basic
> stuff much more easily, but anything as complex as a DNSBL and
> you're back to the command line (sometimes with hacks)...
DNSBLs aren't that complex, and some web front-ends implement them, for
RBLs and RHSBLs, in block or warn-only modes, and generate reports based on
the results. <PLUG>PostConf http://www.postconf.com for example.</PLUG>
Roger Marquis
Re: A difficult one to weed out?
Posted by Jeremy Morton <ad...@game-point.net>.
John Hardin wrote:
> On Mon, 22 Jun 2009, Jeremy Morton wrote:
>
>> John Hardin wrote:
>>> On Sun, 21 Jun 2009, Jeremy Morton wrote:
>>>
>>> > My SpamAssassin apparently isn't checking this blocklist; how do I get
>>> > it to?
>>>
>>> Another highly-regarded DNSBL that listed that IP is zen.spamhaus.org,
>>> which includes the cbl feed. A lot of people trust zen enough to use it
>>> at the MTA level as a hard reject list.
>>
>> Hmm, but if one has an MTA that is arcanely hard to configure (*ahem*
>> Exim) and whose config files keep getting overwritten by cPanel
>> anyway, might a reasonable (if more CPU-costly) alternative to doing
>> that be to set something like 'score RCVD_IN_PBL 10.00'?
>
> While "poison-pill" rules in SA are _generally_ a bad idea, doing this -
> after careful consideration - is reasonable.
>
> I find it surprising that cPanel's MTA configuration system gives you no
> way to specify a DNSBL. This is a professional, commercial server
> management tool? (disclaimer: I have no experience with cPanel apart
> from what I hear here...)
You've obviously never used cPanel... or any web-based server config
software, for that matter. They (unsurprisingly) allow you to do a
bunch of basic stuff much more easily, but anything as complex as a
DNSBL and you're back to the command line (sometimes with hacks)... for
example, http://forums.serverbeach.com/archive/index.php/t-2071.html
Best regards,
Jeremy Morton (Jez)
Re: A difficult one to weed out?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 22 Jun 2009, Jeremy Morton wrote:
> John Hardin wrote:
>> On Sun, 21 Jun 2009, Jeremy Morton wrote:
>>
>> > My SpamAssassin apparently isn't checking this blocklist; how do I get
>> > it to?
>>
>> Another highly-regarded DNSBL that listed that IP is zen.spamhaus.org,
>> which includes the cbl feed. A lot of people trust zen enough to use it
>> at the MTA level as a hard reject list.
>
> Hmm, but if one has an MTA that is arcanely hard to configure (*ahem*
> Exim) and whose config files keep getting overwritten by cPanel anyway,
> might a reasonable (if more CPU-costly) alternative to doing that be to
> set something like 'score RCVD_IN_PBL 10.00'?
While "poison-pill" rules in SA are _generally_ a bad idea, doing this -
after careful consideration - is reasonable.
I find it surprising that cPanel's MTA configuration system gives you no
way to specify a DNSBL. This is a professional, commercial server
management tool? (disclaimer: I have no experience with cPanel apart from
what I hear here...)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
-----------------------------------------------------------------------
12 days until the 233rd anniversary of the Declaration of Independence
Re: A difficult one to weed out?
Posted by Jeremy Morton <ad...@game-point.net>.
John Hardin wrote:
> On Sun, 21 Jun 2009, Jeremy Morton wrote:
>
>> My SpamAssassin apparently isn't checking this blocklist; how do I get
>> it to?
>
> Another highly-regarded DNSBL that listed that IP is zen.spamhaus.org,
> which includes the cbl feed. A lot of people trust zen enough to use it
> at the MTA level as a hard reject list.
Hmm, but if one has an MTA that is arcanely hard to configure (*ahem*
Exim) and whose config files keep getting overwritten by cPanel anyway,
might a reasonable (if more CPU-costly) alternative to doing that be to
set something like 'score RCVD_IN_PBL 10.00'?
Best regards,
Jeremy Morton (Jez)
Re: A difficult one to weed out?
Posted by LuKreme <kr...@kreme.com>.
On Jun 21, 2009, at 11:07, John Hardin <jh...@impsec.org> wrote:
> Another highly-regarded DNSBL that listed that IP is
> zen.spamhaus.org, which includes the cbl feed. A lot of people trust
> zen enough to use it at the MTA level as a hard reject list.
Exactly. Using zen as a rejection at SMTP transaction saves on massive
amounts of overhead. I can imagine running a server without it.
--
Sent from my Bluetooth enabled iTouch.
Re: A difficult one to weed out?
Posted by John Hardin <jh...@impsec.org>.
On Sun, 21 Jun 2009, Jeremy Morton wrote:
> My SpamAssassin apparently isn't checking this blocklist; how do I get it to?
Another highly-regarded DNSBL that listed that IP is zen.spamhaus.org,
which includes the cbl feed. A lot of people trust zen enough to use it at
the MTA level as a hard reject list.
> Benny Pedersen wrote:
>> On Sun, June 21, 2009 12:04, Jeremy Morton wrote:
>>
>> > http://pastebin.com/m3b9629b6
>>
>> http://cbl.abuseat.org/lookup.cgi?ip=190.244.172.161
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Users mistake widespread adoption of Microsoft Office for the
development of a document format standard.
-----------------------------------------------------------------------
13 days until the 233rd anniversary of the Declaration of Independence
Re: A difficult one to weed out?
Posted by Jeremy Morton <ad...@game-point.net>.
My SpamAssassin apparently isn't checking this blocklist; how do I get
it to?
Best regards,
Jeremy Morton (Jez)
Benny Pedersen wrote:
> On Sun, June 21, 2009 12:04, Jeremy Morton wrote:
>
>> http://pastebin.com/m3b9629b6
>
> http://cbl.abuseat.org/lookup.cgi?ip=190.244.172.161
>
>
Re: A difficult one to weed out?
Posted by Benny Pedersen <me...@junc.org>.
On Sun, June 21, 2009 12:04, Jeremy Morton wrote:
> http://pastebin.com/m3b9629b6
http://cbl.abuseat.org/lookup.cgi?ip=190.244.172.161
--
xpoint