You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Florescu, Dan Alexandru" <Al...@rompetrol.com> on 2010/12/07 15:20:36 UTC
spam with different "Received" and "To" headers
Hi,
In the last few days some spam messages have been able to elude the filters I use. Upon checking the headers, it seems to be following the same pattern.
Left only a few headers to exemplify:
-----
Received: from localhost (localhost [127.0.0.1]) by mx.company.com (Postfix) with ESMTP id 8BCA320EC86 for <MY...@company.com>;
Received: from blu0-omc2-s12.blu0.hotmail.com (blu0-omc2-s12.blu0.hotmail.com [65.55.111.87]) by mx.company.com (Postfix) with ESMTP id 75B9D20D6C3 for <MY...@company.com>;
X-Originating-IP: [189.158.116.140]
From: Romain Lenoir <ro...@hotmail.fr>
To: <so...@somedomain.com>
Subject: re:
I just earned $31 in a few hours at home on the computer! I went to - Business Week Journal* You will thank me
-----
* this is a <a href=virus_link>Business Week Journal</a> link
My question is: shouldn't there be a rule to verify that the mail specified at "To:" header actually corresponds to the one at "Received: [...] for <>"?
This would be a very effective spam catching rule.
I am using /SpamAssassin version 3.2.3 running on Perl version 5.8.8/ invoked with /amavisd-new-2.5.4 (20080312)/, on Slackware 12.0.0.
Thank you,
Alex F.
The information contained herein is intended for its addressee(s) only and it is privileged or otherwise confidential. Any unauthorized distribution, amendment or disclosure hereof is strictly forbidden by the law. Please find complete and translated versions at http://www.rompetrol.com/disclaimer.html
Re: spam with different "Received" and "To" headers
Posted by John Hardin <jh...@impsec.org>.
On Tue, 7 Dec 2010, Florescu, Dan Alexandru wrote:
> Received: from localhost (localhost [127.0.0.1]) by mx.company.com (Postfix) with ESMTP id 8BCA320EC86 for <MY...@company.com>;
> To: <so...@somedomain.com>
>
> My question is: shouldn't there be a rule to verify that the mail
> specified at "To:" header actually corresponds to the one at "Received:
> [...] for <>"?
> This would be a very effective spam catching rule.
No, it wouldn't. In fact, it would be spectacularly poor. This is the
difference between the envelope header and the message header (look those
terms up for details).
Checking that those match would hit on some spam, but it would also hit on
all mail having more than one recipient, or CCs, or blind CCs.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
8 days until Bill of Rights day
Re: spam with different "Received" and "To" headers
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2010/12/07 9:20 AM, Florescu, Dan Alexandru wrote:
> My question is: shouldn't there be a rule to verify that the mail specified at "To:" header actually corresponds to the one at "Received: [...] for<>"?
No, take this list for example. RCPT TO: will be your address, while
To: is users@spamassassin.apache.org.
> I am using /SpamAssassin version 3.2.3
3.2.3 is over 3 years old. We're on 3.3.1, you should really consider
upgrading.
--
/Jason
RE: spam with different "Received" and "To" headers
Posted by "Florescu, Dan Alexandru" <Al...@rompetrol.com>.
Thank you for the answers.
@Jason Bertoch - I'll try to upgrade, although it will be a difficult task (many corporate mails).
@Daniel McDonald - Nice rules, I'm going to integrate it too and see what happens. Funny keywords :D - thanks.
@John Hardin - Your suggestion led me to a very good link: http://www.owlriver.com/spam/stop-spam.html
-----Original Message-----
From: Daniel McDonald []
Sent: Tuesday 07, December 12, 2010 16:46
To: spamassassin
Subject: Re: spam with different "Received" and "To" headers
On 12/7/10 8:20 AM, "Florescu, Dan Alexandru"
<> wrote:
> Hi,
>
> In the last few days some spam messages have been able to elude the filters I
> use. Upon checking the headers, it seems to be following the same pattern.
>
> I just earned $31 in a few hours at home on the computer! I went to - Business
> Week Journal* You will thank me
> -----
> * this is a <a href=virus_link>Business Week Journal</a> link
>
> My question is: shouldn't there be a rule to verify that the mail specified at
> "To:" header actually corresponds to the one at "Received: [...] for <>"?
> This would be a very effective spam catching rule.
No, it would be a really bad rule, for lots of reasons.
I am trying to catch these by looking for the body pattern:
I {verbed} {money} {verbing} {uri} {salutation}
Here is my current rule. I'd love to get more verbs to add to it, based on
more examples. They seem to have a pretty good thesaurus...
body __SOME_MONEY_HUNDREDS /\$\d{2,3}\b/
describe __SOME_MONEY_HUNDREDS Has a dollar amount up to $one
thousand
body __EASY_MONEY
/\bI\b.{0,10}(?:racked|pulled|scored|made|profited|earned)/
describe __EASY_MONEY talks about making easy money
body __EASY_WORK /(?:being
online|doing\s(?:(?:simple|easy)\s)?(?:tasks|things|stuff)|working at
home|on the computer)/
describe __EASY_WORK talks about the work being simple
meta AE_WORKFROM_HOME __EASY_MONEY && __SOME_MONEY_HUNDREDS &&
__EASY_WORK && __DOS_HAS_ANY_URI
describe AE_WORKFROM_HOME work from home spam
score AE_WORKFROM_HOME 1.00
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
The information contained herein is intended for its addressee(s) only and it is privileged or otherwise confidential. Any unauthorized distribution, amendment or disclosure hereof is strictly forbidden by the law. Please find complete and translated versions at http://www.rompetrol.com/disclaimer.html
Re: spam with different "Received" and "To" headers
Posted by Daniel McDonald <da...@austinenergy.com>.
On 12/7/10 8:20 AM, "Florescu, Dan Alexandru"
<Al...@rompetrol.com> wrote:
> Hi,
>
> In the last few days some spam messages have been able to elude the filters I
> use. Upon checking the headers, it seems to be following the same pattern.
>
> I just earned $31 in a few hours at home on the computer! I went to - Business
> Week Journal* You will thank me
> -----
> * this is a <a href=virus_link>Business Week Journal</a> link
>
> My question is: shouldn't there be a rule to verify that the mail specified at
> "To:" header actually corresponds to the one at "Received: [...] for <>"?
> This would be a very effective spam catching rule.
No, it would be a really bad rule, for lots of reasons.
I am trying to catch these by looking for the body pattern:
I {verbed} {money} {verbing} {uri} {salutation}
Here is my current rule. I'd love to get more verbs to add to it, based on
more examples. They seem to have a pretty good thesaurus...
body __SOME_MONEY_HUNDREDS /\$\d{2,3}\b/
describe __SOME_MONEY_HUNDREDS Has a dollar amount up to $one
thousand
body __EASY_MONEY
/\bI\b.{0,10}(?:racked|pulled|scored|made|profited|earned)/
describe __EASY_MONEY talks about making easy money
body __EASY_WORK /(?:being
online|doing\s(?:(?:simple|easy)\s)?(?:tasks|things|stuff)|working at
home|on the computer)/
describe __EASY_WORK talks about the work being simple
meta AE_WORKFROM_HOME __EASY_MONEY && __SOME_MONEY_HUNDREDS &&
__EASY_WORK && __DOS_HAS_ANY_URI
describe AE_WORKFROM_HOME work from home spam
score AE_WORKFROM_HOME 1.00
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281