You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2020/12/08 18:18:28 UTC
Possible spam sign
I just received a spam with this interesting From address:
From: "VA Rate Guide"
<in...@amazon.com>
I wonder if it is worth checking for mail from more than one sender at once?
Loren
Re: Possible spam sign
Posted by Benny Pedersen <me...@junc.eu>.
Loren Wilton skrev den 2020-12-08 19:18:
> I just received a spam with this interesting From address:
>
> From: "VA Rate Guide"
> <in...@amazon.com>
>
> I wonder if it is worth checking for mail from more than one sender at
> once?
Received: from [47.140.131.2] (helo=watson1)
by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4)
(envelope-from <lw...@earthlink.net>)
id 1kmhZF-0002TY-Oh
for users@spamassassin.apache.org; Tue, 08 Dec 2020 13:18:29 -0500
clear text sasl password ?
if from: header have more domains to block, then block it :=)
Re: Possible spam sign
Posted by RW <rw...@googlemail.com>.
On Tue, 8 Dec 2020 10:18:28 -0800
Loren Wilton wrote:
> I just received a spam with this interesting From address:
>
> From: "VA Rate Guide"
> <in...@amazon.com>
>
> I wonder if it is worth checking for mail from more than one sender
> at once?
Multiple senders in "From" headers is rare, but RFC compliant.
What you have there isn't syntactically correct; the address aren't
properly separated by commas.
Re: Possible spam sign
Posted by John Hardin <jh...@impsec.org>.
On Tue, 8 Dec 2020, Loren Wilton wrote:
>>>> That probably should have hit at least one scored base rule:
>>>>
>>>> https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
>>>
>>> Nope. I think my rules are up to date, but maybe not.
>>
>> Feel free to pastebin it and I'll take a look.
>
> https://drive.google.com/file/d/1WQ0Mm1iUsKhTj51mFJwwehuTatSm8Nux/view?usp=sharing
That was scanned by SA? Are the SA scan results buried in the
X-VadeSecure-Cause header somehow?
It's too long to hit FROM_2_EMAILS_SHORT, and the longer message rules
that it hits (__HTML_LENGTH_1024_1536 and __PDS_HTML_LENGTH_2048) are
ham-only combos in the masscheck corpus.
I've added some new rules for masscheck eval based on it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Journalism is about covering important stories.
With a pillow, until they stop moving. -- David Burge
-----------------------------------------------------------------------
7 days until Bill of Rights day
Re: Possible spam sign
Posted by Loren Wilton <lw...@earthlink.net>.
>>> That probably should have hit at least one scored base rule:
>>>
>>> https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
>>
>> Nope. I think my rules are up to date, but maybe not.
>
> Feel free to pastebin it and I'll take a look.
https://drive.google.com/file/d/1WQ0Mm1iUsKhTj51mFJwwehuTatSm8Nux/view?usp=sharing
Re: Possible spam sign
Posted by John Hardin <jh...@impsec.org>.
On Tue, 8 Dec 2020, Loren Wilton wrote:
>> That probably should have hit at least one scored base rule:
>>
>> https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
>
> Nope. I think my rules are up to date, but maybe not.
Feel free to pastebin it and I'll take a look.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People think they're trading chaos for order [by ceding more and
more power to the Government], but they're just trading normal
human evil for the really dangerous organized kind of evil, the
kind that simply does not give a shit. Only bureaucrats can give
you true evil. -- Larry Correia
-----------------------------------------------------------------------
7 days until Bill of Rights day
Re: Possible spam sign
Posted by Loren Wilton <lw...@earthlink.net>.
> That probably should have hit at least one scored base rule:
>
> https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
Nope. I think my rules are up to date, but maybe not.
Re: Possible spam sign
Posted by John Hardin <jh...@impsec.org>.
On Tue, 8 Dec 2020, Loren Wilton wrote:
> I just received a spam with this interesting From address:
>
> From: "VA Rate Guide" <in...@amazon.com>
>
> I wonder if it is worth checking for mail from more than one sender at once?
That probably should have hit at least one scored base rule:
https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad. -- James Madison, 1799
-----------------------------------------------------------------------
7 days until Bill of Rights day
Re: Possible spam sign
Posted by "Luis E. Muñoz" <sa...@lem.click>.
On 8 Dec 2020, at 12:47, Grant Taylor wrote:
> I think that the strict RFC specification does allow for multiple
> senders, but I don't remember how it's done and it's so rare that I'd
> accept the false positive.
Yes to both.
-lem
Re: Possible spam sign
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 12/8/20 11:18 AM, Loren Wilton wrote:
> I just received a spam with this interesting From address:
>
> From: "VA Rate Guide"
> <in...@amazon.com>
Ew.
> I wonder if it is worth checking for mail from more than one sender at
> once?
The BOFH in me would be tempted to add one point for each extra @.
I think that the strict RFC specification does allow for multiple
senders, but I don't remember how it's done and it's so rare that I'd
accept the false positive.
--
Grant. . . .
unix || die