You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by John Schmerold <sc...@gmail.com> on 2019/08/11 03:00:08 UTC

encoded from

Evil doers go to our website, identify the leader, then start phishing. 
We have been blocking this by looking for the leader's name in the 
"From" field, today a number of phishes passed through our security 
filter, when I looked at the headers, I understood why, the bandits are 
using this:

F From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>

Outlook shows the leader's name ("Andy Bryan"), Spamassassin does not. 
Any ideas how we can protect our users from this one?

My first inclination is something like this:

score    LOCAL__H_from_encode 5.00
header   LOCAL__H_from_encode From =~ /UTF\-/i

-- 
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis

Re: encoded from

Posted by Henrik K <he...@hege.li>.

On Mon, Aug 12, 2019 at 12:12:41AM +0100, RW wrote:
> On Sun, 11 Aug 2019 12:03:21 -0500
> John Schmerold wrote:
> 
> > On 8/11/2019 12:57 AM, Henrik K wrote:
> 
> > >> F From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>  
> >
> > *I am using these rules:*
> > 
> > score    LOCAL_H_from_bryan1 35.00
> > header   LOCAL_H_from_bryan1 From =~ /andy\sbryan/i
> 
> 
> Your problem is that \s matches one space, but the spam has two.

Lol I just noticed the other day that debug "got hit:" logging normalizes
whitespace or something..  gotta fix that and quote any special characters..

Re: encoded from

Posted by John Schmerold <sc...@gmail.com>.

On 8/11/2019 6:12 PM, RW wrote:
> On Sun, 11 Aug 2019 12:03:21 -0500
> John Schmerold wrote:
>
>> On 8/11/2019 12:57 AM, Henrik K wrote:
>>>> F From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>
>> *I am using these rules:*
>>
>> score    LOCAL_H_from_bryan1 35.00
>> header   LOCAL_H_from_bryan1 From =~ /andy\sbryan/i
>
> Your problem is that \s matches one space, but the spam has two.

Crazy good catch. Thank you!

Re: encoded from

Posted by "Kevin A. McGrail" <km...@apache.org>.

On 8/11/2019 7:12 PM, . wrote:
>> score    LOCAL_H_from_bryan1 35.00
>> header   LOCAL_H_from_bryan1 From =~ /andy\sbryan/i
> Your problem is that \s matches one space, but the spam has two.

Good catch.  So you might want to do \s+ instead.

-- 
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: encoded from

Posted by RW <rw...@googlemail.com>.

On Sun, 11 Aug 2019 12:03:21 -0500
John Schmerold wrote:

> On 8/11/2019 12:57 AM, Henrik K wrote:

> >> F From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>  
>
> *I am using these rules:*
> 
> score    LOCAL_H_from_bryan1 35.00
> header   LOCAL_H_from_bryan1 From =~ /andy\sbryan/i


Your problem is that \s matches one space, but the spam has two.

Re: encoded from

Posted by John Schmerold <sc...@gmail.com>.

On 8/11/2019 12:57 AM, Henrik K wrote:
> On Sat, Aug 10, 2019 at 10:00:08PM -0500, John Schmerold wrote:
>> Evil doers go to our website, identify the leader, then start phishing. We
>> have been blocking this by looking for the leader's name in the "From"
>> field, today a number of phishes passed through our security filter, when I
>> looked at the headers, I understood why, the bandits are using this:
>>
>> F From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>
> You probably don't literally means "F From:" ?  I think not even Outlook
> would parse that.. assuming typo..
>
>> Outlook shows the leader's name ("Andy Bryan"), Spamassassin does not. Any
>> ideas how we can protect our users from this one?
> What do you mean "SpamAssassin does not", what output are you exactly
> looking at?  Please show the actual rules you are trying to use.

*We graylist, so the message was rejected upon initial presentation, 
here is the output from Exim's reject.log:*

Envelope-from: <an...@my.com>
Envelope-to: <lo...@example.com>
P Received: from f31.my.com ([185.30.177.93]:40436)
         by mx6.fastnet1.com with esmtps 
(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
         (Exim 4.92)
         (envelope-from <an...@my.com>)
         id 1hwTcJ-0004Co-Ib
         for local.part@example.com; Sat, 10 Aug 2019 10:49:15 -0500
   DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; 
d=my.com; s=mail;
h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From; 
bh=6D+7rxX+DqxDjlFHx89e03eRojMPB/y6XSk/GYH61vE=;
b=FCuphRg+z/bYLXeL6xUoyZVdAR2+j8t0fIhysgVn1yeTrfxZD6bYcn1hRo5R/vv35gl5Hq7hInqob+EyFRwh1GiTdJP3JhCX5UtB5/G8JM4XJfvfIEelKMeOWSZTnwVbiaClvTmxq1HeDT4m/FoTohirTUNvNDGCENLjlMXk8UA=;
P Received: by f31.my.com with local (envelope-from <an...@my.com>)
         id 1hwTcH-0002KF-Io
         for local.part@example.com; Sat, 10 Aug 2019 18:49:13 +0300
P Received: by e-aj.my.com with HTTP;
         Sat, 10 Aug 2019 18:49:13 +0300
F From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>
T To: local.part@example.com
   Subject: =?UTF-8?B?VXJnZW50?=
   MIME-Version: 1.0
   X-Mailer: My.com Mailer 1.0
   Date: Sat, 10 Aug 2019 18:49:13 +0300
R Reply-To: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>
   X-Priority: 3 (Normal)
I Message-ID: <15...@f31.my.com>
   Content-Type: multipart/alternative;
boundary="--ALT--CXtS519anypZcaoEvL1ZuhBMruQ6JVSQ1565452153"
   X-77F55803: 
68A6F98766B02875A0F21CC061F2095323D2FBEB2644075CECD8DE0331B36754DA3E9D57523DDB86F732F206E061AA45BA6E67A25EBDE248
   X-7FA49CB5: 
0D63561A33F958A503948B5AFAEE420F1B5FB63F284A4FF096A07F38064020428941B15DA834481FA18204E546F3947CB861051D4BA689FCF6B57BC7E64490618DEB871D839B7333395957E7521B51C2545D4CF71C94A83E9FA2833FD35BB23D27C277FBC8AE2E8B3A703$
   X-DMARC-Policy: reject
   X-Mailru-MI: 800
   X-Mailru-Sender: 
2BA31F902301C16BA3B48DCA598B8235BD53929BD4403F41DA3E9D57523DDB86991180D661735E4598FB9EBB77C0D2830CABC5A31093DEA501E0C4A18C9747178BC0F606C687C5A14BD9ACA20FE66D6B85ADFB3C6C25BA380D4ABDE8C577C2ED
   X-Mras: OK
   X-Spam: undefined
   X-Spam-Score: 0.3


*I am using these rules:*

score    LOCAL_H_from_bryan1 35.00
header   LOCAL_H_from_bryan1 From =~ /andy\sbryan/i

score    LOCAL_H_from_bryan2 -35.00
header   LOCAL_H_from_bryan2 From =~ /andy\.bryan\@example\.com/i


>
> It's standard stuff that has always been decoded:
>
> echo 'From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>' | \
> spamassassin -D -L \
>    --cf 'header FOO_FROM From =~ /.*/' \
>    --cf 'header FOO_NAME From:name =~ /.*/' \
>    2>&1 | grep FOO_
>
> Aug 11 08:51:29.782 [28242] dbg: rules: ran header rule FOO_FROM ======> got hit: "Andy Bryan <an...@my.com>"
> Aug 11 08:51:29.783 [28242] dbg: rules: ran header rule FOO_NAME ======> got hit: "Andy Bryan"

Re: encoded from

Posted by Henrik K <he...@hege.li>.

On Sat, Aug 10, 2019 at 10:00:08PM -0500, John Schmerold wrote:
> Evil doers go to our website, identify the leader, then start phishing. We
> have been blocking this by looking for the leader's name in the "From"
> field, today a number of phishes passed through our security filter, when I
> looked at the headers, I understood why, the bandits are using this:
> 
> F From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>

You probably don't literally means "F From:" ?  I think not even Outlook
would parse that.. assuming typo..

> Outlook shows the leader's name ("Andy Bryan"), Spamassassin does not. Any
> ideas how we can protect our users from this one?

What do you mean "SpamAssassin does not", what output are you exactly
looking at?  Please show the actual rules you are trying to use.

It's standard stuff that has always been decoded:

echo 'From: =?UTF-8?B?QW5keSAgQnJ5YW4=?= <an...@my.com>' | \
spamassassin -D -L \
  --cf 'header FOO_FROM From =~ /.*/' \
  --cf 'header FOO_NAME From:name =~ /.*/' \
  2>&1 | grep FOO_

Aug 11 08:51:29.782 [28242] dbg: rules: ran header rule FOO_FROM ======> got hit: "Andy Bryan <an...@my.com>"
Aug 11 08:51:29.783 [28242] dbg: rules: ran header rule FOO_NAME ======> got hit: "Andy Bryan"