You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Groach <gr...@yahoo.com> on 2017/12/13 20:41:04 UTC

Mailsploit

Is there any suggestions on a rule or procedure to implement that will 
help defend against the MAILSPLOIT type of spoofing?

Full details of it here: https://www.mailsploit.com/index

I was thinking if there is a way to have a rule that checks for encoding 
in the FROM header.  OR better, maybe it could be expanded to only react 
if the decoded FROM header translates to a domain that is not a match to 
the domain in the raw data

eg (from the mailsploit webpage example)

|=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com|

translates to 'FROM: potus@whitehouse.com' even though the raw line 
clearly says "....@mailsplot.com.

Sadly, it is obvious to most that the translating of the encoded from 
data is dependant on the email client but Mozilla (Thunderbird) refuse 
to acknowledge this and claim it to be the responsibility of the server 
(as stated in the info web page). Therefore a rule in spamassassin that 
can independently see these attempts of tom-foolery and stop it at 
server level would remove the risk of the email clients being fooled.

(p.s  I performed the test from the webpage to my server and email 
client and confirm that Thunderbird does get fooled by the exploit).
||

Re: Mailsploit

Posted by Groach <gr...@yahoo.com>.

Noted.  In fact, after looking through it in the short term I personally 
have opted to just take the MAILSPLOIT rules section. Should be pretty 
static I think.


On 13/12/2017 22:24, shanew@shanew.net wrote:
> Note that after enabling KAM.cf, you'll want to watch more closely for
> false positives and possibly adjust scores as necessary.  I think it's
> a great addition to the default rules, but it's primarily tuned to
> Kevin's environment (though he's open to improvements) and some of the
> rules/scores may not be appropriate for your environment.
>

Re: Mailsploit

Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.

On 12/13/2017 5:24 PM, shanew@shanew.net wrote:
> Note that after enabling KAM.cf, you'll want to watch more closely for
> false positives and possibly adjust scores as necessary.  I think it's
> a great addition to the default rules, but it's primarily tuned to
> Kevin's environment (though he's open to improvements) and some of the
> rules/scores may not be appropriate for your environment. 

Please note that I am aware that it is installed in a significant number 
of installations so I do try and make it highly effective for others as 
well.  So I would not say "tuned" as much as "designed & tested" in our 
environment.

We are happy to review FPs and consider rule changes.  Don't be shy 
about feedback especially with spamples in pastebin, etc. You do not 
need to redact for us, we deal with sensitive data all the time.

Regards,

KAM

Re: Mailsploit

Posted by sh...@shanew.net.

Note that after enabling KAM.cf, you'll want to watch more closely for
false positives and possibly adjust scores as necessary.  I think it's
a great addition to the default rules, but it's primarily tuned to
Kevin's environment (though he's open to improvements) and some of the
rules/scores may not be appropriate for your environment.

On Wed, 13 Dec 2017, Groach wrote:

> 
> On 13/12/2017 20:48, Antony Stone wrote:
> 
> On Wednesday 13 December 2017 at 21:41:04, Groach wrote:
> 
> Is there any suggestions on a rule or procedure to implement that will
> help defend against the MAILSPLOIT type of spoofing?
> 
> See https://marc.info/?l=spamassassin-users&m=151265708616825&w=2 and follow
> -
> ups?
> 
> 
> Thanks for that.
> 
> I followed the thread you mentioned:  I see that 'Kevin' says he has a rule
> in his personal KAM.cf and that there isnt anything published in base
> spamassassin scores.  (Or am I missing something)?
> 
> So how does one:
> 
> a,  obtain KAM.cf  or
> b,  decipher the mechanism to which Kevin uses in order we can apply similar
> in our own local.cf
> 
> (All help appreciated)
> 
>

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: Mailsploit

Posted by Larry Rosenman <le...@lerctr.org>.

thebighonker.lerctr.org /home/ler $ cat bin/update-KAM.sh

#!/bin/sh

PATH=$PATH:/usr/local/bin

URL="http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf"

URL2="http://www.peregrinehw.com/downloads/SpamAssassin/contrib/nonKAMrules.cf"

PRODFILE="/usr/local/etc/mail/spamassassin/KAM.cf"

PRODFILE2="/usr/local/etc/mail/spamassassin/nonKAMrules.cf"

mkdir /tmp/KAM

cd /tmp/KAM

fetch -q ${URL}

RC=$?

if [ ${RC} -ne 0 ]; then

     cd /

     echo "NON-ZERO RC from fetch(1): " ${RC}

     rm -rf /tmp/KAM

     exit ${RC}

fi

fetch -q ${URL2}

RC=$?

if [ ${RC} -ne 0 ]; then

     cd /

     echo "NON-ZERO RC from fetch(1): " ${RC}

     rm -rf /tmp/KAM

     exit ${RC}

fi

diff -q ${PRODFILE} KAM.cf  >/dev/null 2>&1

RC=$?

diff -q ${PRODFILE2} nonKAMrules.cf  >/dev/null 2>&1

RC2=$?

 

case ${RC}${RC2} in

     00) ;;

     10 | 01 | 11 ) mv KAM.cf ${PRODFILE}

        mv nonKAMrules.cf ${PRODFILE2}

        /usr/local/bin/sa-compile

        kill -1 `cat /var/run/spamd/spamd.pid`

        cd `dirname ${PRODFILE}`

        git commit -a -m "KAM update `date '+%Y-%m-%d %H:%M'`"

        ;;

     20 | 02 | 22 ) echo "ISSUES WITH DIFF -- CHECK IT";;

esac

cd /

rm -rf /tmp/KAM

exit 0

thebighonker.lerctr.org /home/ler $

 

-- 

Larry Rosenman                     http://www.lerctr.org/~ler

Phone: +1 214-642-9640                 E-Mail: ler@lerctr.org

US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106

 

 

From: Groach <gr...@yahoo.com>
Date: Wednesday, December 13, 2017 at 2:59 PM
To: IBM Corporation <us...@spamassassin.apache.org>
Subject: Re: Mailsploit

 

 

On 13/12/2017 20:48, Antony Stone wrote:
On Wednesday 13 December 2017 at 21:41:04, Groach wrote:
 
Is there any suggestions on a rule or procedure to implement that will
help defend against the MAILSPLOIT type of spoofing?
See https://marc.info/?l=spamassassin-users&m=151265708616825&w=2 and follow-
ups?

Thanks for that.

I followed the thread you mentioned:  I see that 'Kevin' says he has a rule in his personal KAM.cf and that there isnt anything published in base spamassassin scores.  (Or am I missing something)?

So how does one:

a,  obtain KAM.cf  or
b,  decipher the mechanism to which Kevin uses in order we can apply similar in our own local.cf

(All help appreciated)

Re: Mailsploit

Posted by Groach <gr...@yahoo.com>.


On 13/12/2017 21:38, Reindl Harald wrote:
>
>
> Am 13.12.2017 um 21:59 schrieb Groach:
>>>> Is there any suggestions on a rule or procedure to implement that will
>>>> help defend against the MAILSPLOIT type of spoofing?
>>> Seehttps://marc.info/?l=spamassassin-users&m=151265708616825&w=2 and 
>>> follow-
>>> ups?
>>
>> Thanks for that.
>>
>> I followed the thread you mentioned:  I see that 'Kevin' says he has 
>> a rule in his personal KAM.cf and that there isnt anything published 
>> in base spamassassin scores.  (Or am I missing something)?
>>
>> So how does one:
>>
>> a,  obtain KAM.cf  or
>> b,  decipher the mechanism to which Kevin uses in order we can apply 
>> similar in our own local.cf
>
> and where is the problem copy the few lines to local.cf
>
> header    __KAM_MAILSPLOIT1     From =~ /[\0]/
> describe  __KAM_MAILSPLOIT1     RFC2047 Exploit 
> https://www.mailsploit.com/index
> header    __KAM_MAILSPLOIT2     From =~ /[\n]/
> describe  __KAM_MAILSPLOIT2     RFC2047 Exploit 
> https://www.mailsploit.com/index
> tflags    __KAM_MAILSPLOIT2     multiple maxhits=2
> meta      KAM_MAILSPLOIT        (__KAM_MAILSPLOIT1 || 
> (__KAM_MAILSPLOIT2 >= 2))
> describe  KAM_MAILSPLOIT        Mail triggers known exploits per 
> mailsploit.com
> score     KAM_MAILSPLOIT        6.0

No problem.  Of course I can do that but wanted to ask for other methods 
too in case there was a more reliable way to check and update when Keven 
updates his rules (to benefit from his other offerings).

Re: Mailsploit

Posted by Groach <gr...@yahoo.com>.

On 13/12/2017 20:48, Antony Stone wrote:
> On Wednesday 13 December 2017 at 21:41:04, Groach wrote:
>
>> Is there any suggestions on a rule or procedure to implement that will
>> help defend against the MAILSPLOIT type of spoofing?
> See https://marc.info/?l=spamassassin-users&m=151265708616825&w=2 and follow-
> ups?

Thanks for that.

I followed the thread you mentioned:  I see that 'Kevin' says he has a 
rule in his personal KAM.cf and that there isnt anything published in 
base spamassassin scores.  (Or am I missing something)?

So how does one:

a,  obtain KAM.cf  or
b,  decipher the mechanism to which Kevin uses in order we can apply 
similar in our own local.cf

(All help appreciated)

Re: Mailsploit

Posted by Antony Stone <An...@spamassassin.open.source.it>.

On Wednesday 13 December 2017 at 21:41:04, Groach wrote:

> Is there any suggestions on a rule or procedure to implement that will
> help defend against the MAILSPLOIT type of spoofing?

See https://marc.info/?l=spamassassin-users&m=151265708616825&w=2 and follow-
ups?


Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

                                                   Please reply to the list;
                                                         please *don't* CC me.