You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2017/12/07 14:31:13 UTC
Mailsploit and RFC1342 and spoofed From
Hi,
Is this something we should be concerned with?
https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/
There was a thread the other day regarding UTF and encoding, but I
don't think this is the same?
Re: Mailsploit and RFC1342 and spoofed From
Posted by Pedro David Marco <pe...@yahoo.com>.
>Hi Pedro, yes but I do not have the ability to share it but I've bcc'd someone who does to see if they can mail it to the list.
>Since the rule I made target effectively all of the mailsploit exploits and it's already public, it should be safe. But I don't know if he used domains he doesn't want exposed, etc.
Thansk Kevin, please do not worry... i understand it and under no circunstances i would like to put you under any unconfortable situation...7
---PedroD
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 12/8/2017 2:34 AM, Pedro David Marco wrote:
> >The tests are not working because of aws send limits. Unlikely to work.
>
> You are right Kevin... fool me..
>
> is there any pastebin sample???
>
Hi Pedro, yes but I do not have the ability to share it but I've bcc'd
someone who does to see if they can mail it to the list.
Since the rule I made target effectively all of the mailsploit exploits
and it's already public, it should be safe. But I don't know if he used
domains he doesn't want exposed, etc.
Regards,
KAM
Re: Mailsploit and RFC1342 and spoofed From
Posted by Pedro David Marco <pe...@yahoo.com>.
>The tests are not working because of aws send limits. Unlikely to work.
>Regards,
>KAM
You are right Kevin... fool me..
is there any pastebin sample???
----PedroD
Re: Mailsploit and RFC1342 and spoofed From
Posted by sh...@shanew.net.
I managed to run a test about an hour ago on my first try, so maybe
AWS upped his limit or demand has slowed down. Or maybe I just got
lucky...
YMMV
On Thu, 7 Dec 2017, Kevin A. McGrail wrote:
> The tests are not working because of aws send limits. Unlikely to work.
> Regards,
> KAM
>
> On December 7, 2017 1:57:41 PM EST, Pedro David Marco
> <pe...@yahoo.com> wrote:
> You can get tests here...
>
> https://www.mailsploit.com/index#demo
>
> -------
> PedroD.
>
>
>
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
The tests are not working because of aws send limits. Unlikely to work.
Regards,
KAM
On December 7, 2017 1:57:41 PM EST, Pedro David Marco <pe...@yahoo.com> wrote:
>You can get tests here...
>https://www.mailsploit.com/index#demo
>
>-------PedroD.
Re: Mailsploit and RFC1342 and spoofed From
Posted by Pedro David Marco <pe...@yahoo.com>.
You can get tests here...
https://www.mailsploit.com/index#demo
-------PedroD.
Re: Mailsploit and RFC1342 and spoofed From
Posted by John Hardin <jh...@impsec.org>.
On Thu, 7 Dec 2017, Kevin A. McGrail wrote:
> On 12/7/2017 4:20 PM, John Hardin wrote:
>>
>> I was more thinking about coverage for people who aren't using KAM.cf, but
>> your comment about needing enough examples in the masscheck corpus to
>> promote and score the rule is relevant - perhaps it is important enough to
>> add as a base header rule, rather than through ruleqa sandboxes?
>
> I'm guess I don't really know how. What is your definition of a base header
> rule and what mechanism would you use to publish it as a base rule?
I was thinking of a rule in rules/20_head_test.cf with a fixed score, vs.
one in something like rulesrc/sandbox/jhardin/20_mumble.cf
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
At $8 billion per year, the TSA is the most expensive
theatrical production in history. -- David Burge @iowahawkblog
-----------------------------------------------------------------------
Today: The 76th anniversary of Pearl Harbor
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 12/7/2017 4:20 PM, John Hardin wrote:
>
> I was more thinking about coverage for people who aren't using KAM.cf,
> but your comment about needing enough examples in the masscheck corpus
> to promote and score the rule is relevant - perhaps it is important
> enough to add as a base header rule, rather than through ruleqa
> sandboxes?
I'm guess I don't really know how. What is your definition of a base
header rule and what mechanism would you use to publish it as a base
rule? We effectively build rules as a measure to get an initial install
but ruleqa driven sa-updates are our mechanism for publishing.
Regards,
KAM
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 12/8/2017 3:25 AM, Giovanni Bechis wrote:
>>> Unfortunately I cannot know how new added rules will affect my
>> enviroment,
>>> there are also some idn rules that breaks my Puppet instance but
>> that's another story.
>> Agreed. But how would you know if they are added to sa-update
>> natively?
> Rules that come through sa-update do not have too much high scores, are discussed on ml and svn is my friend as a last resort.
Fair enough. I don't have a solution for you.
Re: Mailsploit and RFC1342 and spoofed From
Posted by Giovanni Bechis <gi...@paclan.it>.
Il 8 dicembre 2017 01:47:47 CET, "Kevin A. McGrail" <ke...@mcgrail.com> ha scritto:
>On 12/7/2017 7:02 PM, Giovanni Bechis wrote:
>> On 12/08/17 00:59, Kevin A. McGrail wrote:
>>> On 12/7/2017 6:39 PM, Giovanni Bechis wrote:
>>>> unfortunately I cannot use KAM.cf out of the box because some
>scores are completely wrong in my environment (working with strange
>tld, chinese people, medical terms that are sometimes abused, ...), so
>I have to download the file every now and than and "fix it".
>>> If you use a file that is named alphabetically to load after KAM.cf,
>you can just change scores there and it will be maintained from
>download to download.
>>>
>> Unfortunately I cannot know how new added rules will affect my
>enviroment,
>> there are also some idn rules that breaks my Puppet instance but
>that's another story.
>Agreed. But how would you know if they are added to sa-update
>natively?
Rules that come through sa-update do not have too much high scores, are discussed on ml and svn is my friend as a last resort.
Giovanni
Re: Mailsploit and RFC1342 and spoofed From
Posted by David Jones <dj...@ena.com>.
On 12/07/2017 06:47 PM, Kevin A. McGrail wrote:
> On 12/7/2017 7:02 PM, Giovanni Bechis wrote:
>> On 12/08/17 00:59, Kevin A. McGrail wrote:
>>> On 12/7/2017 6:39 PM, Giovanni Bechis wrote:
>>>> unfortunately I cannot use KAM.cf out of the box because some scores
>>>> are completely wrong in my environment (working with strange tld,
>>>> chinese people, medical terms that are sometimes abused, ...), so I
>>>> have to download the file every now and than and "fix it".
>>> If you use a file that is named alphabetically to load after KAM.cf,
>>> you can just change scores there and it will be maintained from
>>> download to download.
>>>
>> Unfortunately I cannot know how new added rules will affect my
>> enviroment,
>> there are also some idn rules that breaks my Puppet instance but
>> that's another story.
> Agreed. But how would you know if they are added to sa-update natively?
>
A very simple, short script could grep out the scores from KAM.cf, diff
them from the last run and send him an email when something changes.
Cron it for once every morning and viola!
--
David Jones
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 12/7/2017 7:02 PM, Giovanni Bechis wrote:
> On 12/08/17 00:59, Kevin A. McGrail wrote:
>> On 12/7/2017 6:39 PM, Giovanni Bechis wrote:
>>> unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical terms that are sometimes abused, ...), so I have to download the file every now and than and "fix it".
>> If you use a file that is named alphabetically to load after KAM.cf, you can just change scores there and it will be maintained from download to download.
>>
> Unfortunately I cannot know how new added rules will affect my enviroment,
> there are also some idn rules that breaks my Puppet instance but that's another story.
Agreed. But how would you know if they are added to sa-update natively?
Re: Mailsploit and RFC1342 and spoofed From
Posted by Giovanni Bechis <gi...@paclan.it>.
On 12/08/17 00:59, Kevin A. McGrail wrote:
> On 12/7/2017 6:39 PM, Giovanni Bechis wrote:
>> unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical terms that are sometimes abused, ...), so I have to download the file every now and than and "fix it".
>
> If you use a file that is named alphabetically to load after KAM.cf, you can just change scores there and it will be maintained from download to download.
>
Unfortunately I cannot know how new added rules will affect my enviroment,
there are also some idn rules that breaks my Puppet instance but that's another story.
> I also welcome feedbacks on scores, FPs and additions.
>
I will try to take a look.
Giovanni
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 12/7/2017 6:39 PM, Giovanni Bechis wrote:
> unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical terms that are sometimes abused, ...), so I have to download the file every now and than and "fix it".
If you use a file that is named alphabetically to load after KAM.cf, you
can just change scores there and it will be maintained from download to
download.
I also welcome feedbacks on scores, FPs and additions.
Regards,
KAM
Re: Mailsploit and RFC1342 and spoofed From
Posted by Giovanni Bechis <gi...@paclan.it>.
On 12/08/17 00:19, Kevin A. McGrail wrote:
> On 12/7/2017 4:20 PM, John Hardin wrote:
>>
>> I was more thinking about coverage for people who aren't using KAM.cf, but your comment about needing enough examples in the masscheck corpus to promote and score the rule is relevant - perhaps it is important enough to add as a base header rule, rather than through ruleqa sandboxes?
>
> It's a hurdle. As a release artifact, it falls under ASF voting rules and the 3 +1's, 72 hours, etc. But I agree that we've overcome that hurdle and have mechanisms that people are ok with publishing automated as long as it passed ruleqa. That is too slow for me so KAM.cf allowed me to publish unilaterally without the delays from the normal voting or automated mechanisms.
>
unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical terms that are sometimes abused, ...), so I have to download the file every now and than and "fix it".
It would be fine to use it as a staging for rules that could be promoted to "official" rules later on.
If you can wait, you can use the official channel and you will have updated rules, if you have to deploy rules in minutes you can use KAM.cf.
Cheers
Giovanni
> Perhaps we can discuss some sort of C-T-R where people can add a flag to sa-update and get the a dev channel. The dev channel gets all rules before masscheck. Not sure if that will cause more issues with other rules that are not as production ready as mine since mine are tested in live production before publishing.
>
> Or we could consider a motion to publish KAM.cf with the sa-signing key but require people to add a channel to their sa-update command line. That's a minor change in lift to save adding the GPG key but a small help nonetheless.
>
> In the end, it goes a bit back to the difference of opinion on what the SA project provides. To me, we provide a framework and proof of concept rules NOT a fully function drop-in installation. With KAM.cf, I believe it's much closer to a drop-in installation. I'm happy to support it but we have to have a mechanism that A) doesn't arbitrarily fail to promote the rules, B) is faster than 1 hour and C) doesn't egregiously ignore the Apache Way.
>
>
> Regards,
> KAM
>
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 12/7/2017 4:20 PM, John Hardin wrote:
>
> I was more thinking about coverage for people who aren't using KAM.cf,
> but your comment about needing enough examples in the masscheck corpus
> to promote and score the rule is relevant - perhaps it is important
> enough to add as a base header rule, rather than through ruleqa
> sandboxes?
It's a hurdle. As a release artifact, it falls under ASF voting rules
and the 3 +1's, 72 hours, etc. But I agree that we've overcome that
hurdle and have mechanisms that people are ok with publishing automated
as long as it passed ruleqa. That is too slow for me so KAM.cf allowed
me to publish unilaterally without the delays from the normal voting or
automated mechanisms.
Perhaps we can discuss some sort of C-T-R where people can add a flag to
sa-update and get the a dev channel. The dev channel gets all rules
before masscheck. Not sure if that will cause more issues with other
rules that are not as production ready as mine since mine are tested in
live production before publishing.
Or we could consider a motion to publish KAM.cf with the sa-signing key
but require people to add a channel to their sa-update command line.
That's a minor change in lift to save adding the GPG key but a small
help nonetheless.
In the end, it goes a bit back to the difference of opinion on what the
SA project provides. To me, we provide a framework and proof of concept
rules NOT a fully function drop-in installation. With KAM.cf, I believe
it's much closer to a drop-in installation. I'm happy to support it but
we have to have a mechanism that A) doesn't arbitrarily fail to promote
the rules, B) is faster than 1 hour and C) doesn't egregiously ignore
the Apache Way.
Regards,
KAM
Re: Mailsploit and RFC1342 and spoofed From
Posted by John Hardin <jh...@impsec.org>.
On Thu, 7 Dec 2017, Kevin A. McGrail wrote:
> On 12/7/2017 11:47 AM, John Hardin wrote:
>> Is that going into the base SA rules as well?
>
> The SA rule prop system is not conducive to how my company works. The delays
> are too long to publish rules. I support it in concept but as of yet do not
> have an easiest lift to support it.
>
> I need rules in minutes not days. KAM.cf was my solution to that issue but
> we release it under ASLv2.
>
> But with the work spearheaded by Dave and the relight of ruleqa, I'm focused
> on 3.4.2. Then I'm hoping we can look at publishing rules 2x per day. I do
> a lot of work on my rules and can't have them kicked out of consideration
> because the corpora says they aren't needed.
I was more thinking about coverage for people who aren't using KAM.cf, but
your comment about needing enough examples in the masscheck corpus to
promote and score the rule is relevant - perhaps it is important enough to
add as a base header rule, rather than through ruleqa sandboxes?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
No representation without taxation!
-----------------------------------------------------------------------
Today: The 76th anniversary of Pearl Harbor
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 12/7/2017 11:47 AM, John Hardin wrote:
> Is that going into the base SA rules as well?
The SA rule prop system is not conducive to how my company works. The
delays are too long to publish rules. I support it in concept but as of
yet do not have an easiest lift to support it.
I need rules in minutes not days. KAM.cf was my solution to that issue
but we release it under ASLv2.
But with the work spearheaded by Dave and the relight of ruleqa, I'm
focused on 3.4.2. Then I'm hoping we can look at publishing rules 2x
per day. I do a lot of work on my rules and can't have them kicked out
of consideration because the corpora says they aren't needed.
Regards,
KAM
Re: Mailsploit and RFC1342 and spoofed From
Posted by John Hardin <jh...@impsec.org>.
On Thu, 7 Dec 2017, Kevin A. McGrail wrote:
> On 12/7/2017 9:31 AM, Alex wrote:
>>
>> https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/
>
> Same issue and the rule I wrote yesterday effectively blocks all the
> published issues. I'll make some nuance changes to make it broader against
> the general idea of the attack. See KAM.cf and MAILSPLOIT.
Is that going into the base SA rules as well?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...wind turbines are not meant to actually be an efficient way to
supply the power grid, rather they're prayer wheels for New Age
iBuddhists, their whirring blades drawing white guilt from the
atmosphere and pumping it safely underground. -- Tam
-----------------------------------------------------------------------
Today: The 76th anniversary of Pearl Harbor
Re: Mailsploit and RFC1342 and spoofed From
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 12/7/2017 9:31 AM, Alex wrote:
> Hi,
>
> Is this something we should be concerned with?
>
> https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/
>
> There was a thread the other day regarding UTF and encoding, but I
> don't think this is the same?
Same issue and the rule I wrote yesterday effectively blocks all the
published issues. I'll make some nuance changes to make it broader
against the general idea of the attack. See KAM.cf and MAILSPLOIT.
Regards,
KAM