You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Juerg Reimann <jr...@jworld.ch> on 2013/06/12 21:30:38 UTC
PayPal spam filter?
Hi there,
Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not?
Thanks,
Juerg
Re: PayPal spam filter?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2013-06-12 at 21:30 +0200, Juerg Reimann wrote:
> Is there a filter to block PayPal phishing mails, i.e. everything that
> claims to come from PayPal but is not?
>
I was going to suggest that you could treat anything whose Message-ID
doesn't end with 'paypal.com' as spam, but its a bit more complex than
that:
- if Paypal has an office in the same country as an account holder, the
message seems to originate there. A genuine message I examined says
its from e.paypal.co.uk and has URIs containing emea.e.paypal.com
- the message-id contains @e-dialog.com but its immediately
followed by an X-mail-from header containing @emea.e.paypal.com
- OTOH all the images and links in the message body are encrypted links
to URIs that are recognisably in the PayPal domain.
It might be safe to treat it as ham if all the From and Reply-to headers
have the same domain name which contains 'paypal', the message-ID ends
in '@e-dialog.com' and the X-mail-to X-match headers end in 'paypal.com'
and finally all the URIs in the body contain the same paypal-specific
partial URI, but its your call.
HTH
Martin
RE: PayPal spam filter?
Posted by Andrew Talbot <an...@gmail.com>.
I just had to weigh in here to say that we have DCC_CHECK scored up to a 4, and all of these kinds of spam messages get caught by that because they always hit at least another 1 point worth of rules.
Also, those two rules require plugins, I believe.
> -----Original Message-----
> From: Juerg Reimann [mailto:jr@jworld.ch]
> Sent: Wednesday, June 26, 2013 6:42 PM
> To: users@spamassassin.apache.org
> Cc: 'Benny Pedersen'
> Subject: RE: PayPal spam filter?
>
> Hi Benny
>
> Thanks for your tip. Could you elaborate on this a bit? First of all, a rule with
> the name SPF_DID_NOT_PASS or DKIM_DID_NOT_PASS seem not to exist.
> How and where would I configure this?
>
> Thanks,
> Juerg
>
> > -----Original Message-----
> > From: Benny Pedersen [mailto:me@junc.eu]
> > Sent: Wednesday, June 12, 2013 9:38 PM
> > To: users@spamassassin.apache.org
> > Subject: Re: PayPal spam filter?
> >
> > Juerg Reimann skrev den 2013-06-12 21:30:
> >
> > > Is there a filter to block PayPal phishing mails, i.e. everything
> > > that claims to come from PayPal but is not?
> >
> > meta SPF_DID_NOT_PASS (!SPF_PASS)
> >
> > simple ? :=)
> >
> > if paypal do use dkim then it could be checked with
> >
> > meta DKIM_DID_NOT_PASS (!DKIM_VALID_AU)
> >
> > phishing emails seldom pass on this 2 tests
> >
> > --
> > senders that put my email into body content will deliver it to my own
> > trashcan, so if you like to get reply, dont do it
RE: PayPal spam filter?
Posted by Juerg Reimann <jr...@jworld.ch>.
Hi Benny
Thanks for your tip. Could you elaborate on this a bit? First of all, a rule with the name SPF_DID_NOT_PASS or DKIM_DID_NOT_PASS seem not to exist. How and where would I configure this?
Thanks,
Juerg
> -----Original Message-----
> From: Benny Pedersen [mailto:me@junc.eu]
> Sent: Wednesday, June 12, 2013 9:38 PM
> To: users@spamassassin.apache.org
> Subject: Re: PayPal spam filter?
>
> Juerg Reimann skrev den 2013-06-12 21:30:
>
> > Is there a filter to block PayPal phishing mails, i.e. everything that
> > claims to come from PayPal but is not?
>
> meta SPF_DID_NOT_PASS (!SPF_PASS)
>
> simple ? :=)
>
> if paypal do use dkim then it could be checked with
>
> meta DKIM_DID_NOT_PASS (!DKIM_VALID_AU)
>
> phishing emails seldom pass on this 2 tests
>
> --
> senders that put my email into body content will deliver it to my own
> trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
Posted by Benny Pedersen <me...@junc.eu>.
Juerg Reimann skrev den 2013-06-12 21:30:
> Is there a filter to block PayPal phishing mails, i.e. everything
> that claims to come from PayPal but is not?
meta SPF_DID_NOT_PASS (!SPF_PASS)
simple ? :=)
if paypal do use dkim then it could be checked with
meta DKIM_DID_NOT_PASS (!DKIM_VALID_AU)
phishing emails seldom pass on this 2 tests
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
Posted by RW <rw...@googlemail.com>.
On Fri, 14 Jun 2013 12:38:47 +1200
Jason Haar wrote:
> On 14/06/13 07:08, Neil Schwartzman wrote:
> > Sure is. Also DMARCed and SPFed too.
> >
> > ;; QUESTION SECTION:
> > ;paypal.com <http://paypal.com>.INTXT
> >
> > ;; ANSWER SECTION:
> > paypal.com <http://paypal.com>.7INTXT"v=spf1
> > include:pp._spf.paypal.com <http://spf.paypal.com>
> > include:3rdparty._spf.paypal.com <http://spf.paypal.com>
> > include:3rdparty1._spf.paypal.com <http://spf.paypal.com>
> > include:3rdparty2._spf.paypal.com <http://spf.paypal.com>
> > include:c._spf.ebay.com <http://spf.ebay.com> ~all"
> >
>
> Yeah but notice "~all" is not "-all". ie they are saying that
> legitimate Paypal email comes from those specific sources - except
> when it doesn't
It's possible that the domains are also used for the mail of paypal
employees.
>
> I don't understand why "~all" exists at all. It's like a "checkbox"
> security feature: "oh yeah, our domain uses SPF!"
IIRC the original intention was that "-" would be used for outright
rejection, and "~" as information for spam filters.
Re: PayPal spam filter?
Posted by RW <rw...@googlemail.com>.
On Mon, 17 Jun 2013 10:48:34 +1200
Jason Haar wrote:
> Just a FYI but SA scores failures of "~all" much stronger than it does
> for "-all"
They all score under one point.
>
> http://spamassassin.1065346.n5.nabble.com/default-score-for-SPF-HELO-FAIL-too-low-td13894.html
>
>
> That's it - I'm removing SPF...
The chief reason for running SPF is authenticated whitelisting.
Re: PayPal spam filter?
Posted by Michael Orlitzky <mi...@orlitzky.com>.
On 06/16/2013 06:48 PM, Jason Haar wrote:
> Just a FYI but SA scores failures of "~all" much stronger than it does
> for "-all"
>
> eg I just deliberately forged an email for my own domain and SA picked
> up the SPF hard failure.... and added 0.0 to the final score :-(
>
> The logic of the score is well documented, just shows how much SPF
> doesn't work
>
> http://spamassassin.1065346.n5.nabble.com/default-score-for-SPF-HELO-FAIL-too-low-td13894.html
>
The reasoning is sound. Softfail has a better ham/spam ratio than
hardfail. Which is beside the point -- SPF is not a spam filtering
mechanism. It prevents HELO/MAIL FROM forgery. If you don't want to
accept forgeries (this is independent of what you want to do with spam),
reject the hardfails.
Re: PayPal spam filter?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2013-06-17 at 18:51 +1200, Jason Haar wrote:
> On 17/06/13 16:14, Benny Pedersen wrote:
> > Jason Haar skrev den 2013-06-17 00:48:
> >
> >> That's it - I'm removing SPF...
> >
> > hardfail is for mta, softfails is for spamassassin, if your mta accept
> > hardfail spf, then you self ask for it
> >
> ?? SA scores hardfails as 0.0 due to the high positive rate. Therefore
> blocking on SPF hardfails must lead to a high FP rate too? If your
> organization is willing to live with valid email being bounced, fine -
> but I'm going to listen to our SA overlords on this one...
>
My understanding is that the score SA assigns to SPF is irrelevant.
SPF's purpose is to prevent backscatter. It does that by giving any site
that receives an undeliverable message the means to recognise the
forgery: if the sending IP is outside the range published in an '-all'
SPF record its definitely a forgery and if its in an '~all' SPF record
in might be forged. Its pointless to send a rejection message if the
undeliverable message has a forged sender, so most sites don't do that.
As a result, you don't get backscatter if a spammer is forging your
address as the sender of his spam.
SPF isn't, and never was AFAIK, a useful way to recognise spam that is
sent directly to you.
At least, that is the basis for my use of SPF. I've got almost no
backscatter since I set up an SPF record. If it happens to add a small
amount to a spam score that's a bonus, but I don't in any way rely on it
to flag up spam.
Martin
> (...or the SA score is incorrect of course. This thread is a bit of a
> challange - here we have an example of SA saying one thing, and everyone
> else [well, 3 people ;)] saying "block hardfails" on the other. One must
> be right and the other wrong...?)
>
Re: PayPal spam filter?
Posted by Benny Pedersen <me...@junc.eu>.
Jason Haar skrev den 2013-06-17 08:51:
> ?? SA scores hardfails as 0.0 due to the high positive rate.
> Therefore
> blocking on SPF hardfails must lead to a high FP rate too? If your
> organization is willing to live with valid email being bounced, fine
> -
> but I'm going to listen to our SA overlords on this one...
scores in spamassassin is based on corpus of ham, and spam, and corpus
with spf-fail does not exists, you can reject them in mta stage, and if
wanted one can score it whatever one like in spamassassin
i dont see a problem there, other then users does not manage user_prefs
self :=)
meta SPF_FAIL (3)
will dynamicly add 3 points to the scores of SPF_FAIL
> (...or the SA score is incorrect of course. This thread is a bit of a
> challange - here we have an example of SA saying one thing, and
> everyone
> else [well, 3 people ;)] saying "block hardfails" on the other. One
> must
> be right and the other wrong...?)
is you sure you are really checking envelope_from in sa ?, it will be a
big mistake to check from: are you trusted_networks/internal_networks
setup as it should ?
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
Posted by Jason Haar <Ja...@trimble.com>.
On 17/06/13 16:14, Benny Pedersen wrote:
> Jason Haar skrev den 2013-06-17 00:48:
>
>> That's it - I'm removing SPF...
>
> hardfail is for mta, softfails is for spamassassin, if your mta accept
> hardfail spf, then you self ask for it
>
?? SA scores hardfails as 0.0 due to the high positive rate. Therefore
blocking on SPF hardfails must lead to a high FP rate too? If your
organization is willing to live with valid email being bounced, fine -
but I'm going to listen to our SA overlords on this one...
(...or the SA score is incorrect of course. This thread is a bit of a
challange - here we have an example of SA saying one thing, and everyone
else [well, 3 people ;)] saying "block hardfails" on the other. One must
be right and the other wrong...?)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: PayPal spam filter?
Posted by Benny Pedersen <me...@junc.eu>.
Jason Haar skrev den 2013-06-17 00:48:
> That's it - I'm removing SPF...
hardfail is for mta, softfails is for spamassassin, if your mta accept
hardfail spf, then you self ask for it
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
Posted by Jason Haar <Ja...@trimble.com>.
Just a FYI but SA scores failures of "~all" much stronger than it does
for "-all"
eg I just deliberately forged an email for my own domain and SA picked
up the SPF hard failure.... and added 0.0 to the final score :-(
The logic of the score is well documented, just shows how much SPF
doesn't work
http://spamassassin.1065346.n5.nabble.com/default-score-for-SPF-HELO-FAIL-too-low-td13894.html
That's it - I'm removing SPF...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: PayPal spam filter?
Posted by Benny Pedersen <me...@junc.eu>.
Jason Haar skrev den 2013-06-14 02:38:
> Yeah but notice "~all" is not "-all". ie they are saying that
> legitimate
> Paypal email comes from those specific sources - except when it
> doesn't
if its pass then its paypal, if its softfail then we are unsure is what
it means
> I don't understand why "~all" exists at all. It's like a "checkbox"
> security feature: "oh yeah, our domain uses SPF!"
is gmail.com better ?, neutral, but spammers here cant send anyway
since i use pypolicyd-spf with reject non spf pass domains, remember spf
is policy on sender, it does not mean you may accept there policy
paypal is #1 phished domain on phishtank, paypal does not care about it
:(
example i have is that thay use other domain to track there news mails,
and the link is to a https page, browsers does always say paypal i need
to pay attention
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
Posted by Jason Haar <Ja...@trimble.com>.
On 14/06/13 07:08, Neil Schwartzman wrote:
> Sure is. Also DMARCed and SPFed too.
>
> ;; QUESTION SECTION:
> ;paypal.com <http://paypal.com>.INTXT
>
> ;; ANSWER SECTION:
> paypal.com <http://paypal.com>.7INTXT"v=spf1
> include:pp._spf.paypal.com <http://spf.paypal.com>
> include:3rdparty._spf.paypal.com <http://spf.paypal.com>
> include:3rdparty1._spf.paypal.com <http://spf.paypal.com>
> include:3rdparty2._spf.paypal.com <http://spf.paypal.com>
> include:c._spf.ebay.com <http://spf.ebay.com> ~all"
>
Yeah but notice "~all" is not "-all". ie they are saying that legitimate
Paypal email comes from those specific sources - except when it doesn't
I don't understand why "~all" exists at all. It's like a "checkbox"
security feature: "oh yeah, our domain uses SPF!"
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: PayPal spam filter?
Posted by Neil Schwartzman <ne...@cauce.org>.
On Jun 12, 2013, at 3:37 PM, Daniel McDonald <da...@austinenergy.com> wrote:
> I believe Paypal is DKIM signed,
Sure is. Also DMARCed and SPFed too.
;; QUESTION SECTION:
;paypal.com. IN TXT
;; ANSWER SECTION:
paypal.com. 7 IN TXT "v=spf1 include:pp._spf.paypal.com include:3rdparty._spf.paypal.com include:3rdparty1._spf.paypal.com include:3rdparty2._spf.paypal.com include:c._spf.ebay.com ~all"
--------------------------------------------------------------------------------------------------------
; <<>> DiG 9.8.3-P1 <<>> _adsp._domainkey.paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2530
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_adsp._domainkey.paypal.com. IN A
;; AUTHORITY SECTION:
paypal.com. 60 IN SOA ppns1.phx.paypal.com. hostmaster.paypal.com. 2010186301 7200 900 86400 60
;; Query time: 35 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 13 15:05:47 2013
;; MSG SIZE rcvd: 102
localhost:durbl spamfighter$ dig _domainkey.paypal.com
; <<>> DiG 9.8.3-P1 <<>> _domainkey.paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1064
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_domainkey.paypal.com. IN A
;; AUTHORITY SECTION:
paypal.com. 60 IN SOA ppns1.phx.paypal.com. hostmaster.paypal.com. 2010186301 7200 900 86400 60
;; Query time: 35 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 13 15:06:27 2013
;; MSG SIZE rcvd: 96
Re: PayPal spam filter?
Posted by RW <rw...@googlemail.com>.
On Wed, 12 Jun 2013 15:26:29 -0500 (CDT)
David B Funk wrote:
> However this will not hit all the "human engineered" varients which
> try to fool people into thinking that they're PayPal (EG: PayPaI)
> or which have "PayPal" in the comment field part of the address/URL
> but have a completely different actual target host.
And you need to be a little careful about hitting addresses created to
use with paypal that contain "paypal". OTOH I think it would be
unlikely for paypal to be in name part of the header without it being
either from paypal or spam.
Perhaps something like:
header __PAYPAL_IN_FROMNAME From:name =~ /paypal/i
header __ADDRESS_IN_FROMNAME From:name =~ /\@/
header __FUZZY_PAYPAL_FROM From:addr =~ /(?!paypal)p[ao]yp[ao][il1]/i
meta FAKE_PAYPAL !USER_IN_DEF_DKIM_WL && ( __FUZZY_PAYPAL_FROM || __PAYPAL_IN_FROMNAME && !__ADDRESS_IN_FROMNAME )
Re: PayPal spam filter?
Posted by Benny Pedersen <me...@junc.eu>.
David B Funk skrev den 2013-06-12 22:26:
> You could create rules to try to spot all those varients but it's
> a "catchup" game.
its more easy in clamav, but i have seen paypal emails orginate from
paypal ip, but contains there so called analyzin urls, only test that
works is if there is https and http links, then its a phish
i have seen many phishmails that do this with ancor urls that is https,
but the url is just http or even a ip, ssl cant be good on ip hosts
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: PayPal spam filter?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 12 Jun 2013, Daniel McDonald wrote:
> On 6/12/13 2:30 PM, "Juerg Reimann" <jr...@jworld.ch> wrote:
>
>> Hi there,
>>
>> Is there a filter to block PayPal phishing mails, i.e. everything that claims
>> to come from PayPal but is not?
>
> I believe Paypal is DKIM signed, so it shouldn't be hard to modify these
> rules for PayPal:
>
> header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i
> header __L_ML2 exists:List-Id
> header __L_ML3 exists:List-Post
> header __L_ML4 exists:Mailing-List
> header __L_HAS_SNDR exists:Sender
> meta __L_VIA_ML __L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 ||
> __L_HAS_SNDR
> header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i
> header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
> header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
> header __L_FROM_Y4 From:addr =~
> m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
> meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 ||
> __L_FROM_Y4
> header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
> meta L_UNVERIFIED_YAHOO !DKIM_VALID && !DKIM_VALID_AU && __L_FROM_YAHOO
> && !__L_VIA_ML
> priority L_UNVERIFIED_YAHOO 500
> score L_UNVERIFIED_YAHOO 2.5
> meta L_UNVERIFIED_GMAIL !DKIM_VALID && !DKIM_VALID_AU && __L_FROM_GMAIL
> && !__L_VIA_ML
> priority L_UNVERIFIED_GMAIL 500
> score L_UNVERIFIED_GMAIL 2.5
However this will not hit all the "human engineered" varients which
try to fool people into thinking that they're PayPal (EG: PayPaI)
or which have "PayPal" in the comment field part of the address/URL
but have a completely different actual target host.
You could create rules to try to spot all those varients but it's
a "catchup" game.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: PayPal spam filter?
Posted by Daniel McDonald <da...@austinenergy.com>.
On 6/12/13 2:30 PM, "Juerg Reimann" <jr...@jworld.ch> wrote:
> Hi there,
>
> Is there a filter to block PayPal phishing mails, i.e. everything that claims
> to come from PayPal but is not?
I believe Paypal is DKIM signed, so it shouldn't be hard to modify these
rules for PayPal:
header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2 exists:List-Id
header __L_ML3 exists:List-Post
header __L_ML4 exists:Mailing-List
header __L_HAS_SNDR exists:Sender
meta __L_VIA_ML __L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 ||
__L_HAS_SNDR
header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
header __L_FROM_Y4 From:addr =~
m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 ||
__L_FROM_Y4
header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
meta L_UNVERIFIED_YAHOO !DKIM_VALID && !DKIM_VALID_AU && __L_FROM_YAHOO
&& !__L_VIA_ML
priority L_UNVERIFIED_YAHOO 500
score L_UNVERIFIED_YAHOO 2.5
meta L_UNVERIFIED_GMAIL !DKIM_VALID && !DKIM_VALID_AU && __L_FROM_GMAIL
&& !__L_VIA_ML
priority L_UNVERIFIED_GMAIL 500
score L_UNVERIFIED_GMAIL 2.5
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281