Author: jm
Date: Thu Feb 5 19:35:41 2004
New Revision: 6528
Modified:
incubator/spamassassin/trunk/rules/70_cvs_rules_under_test.cf
Log:
trying out some new rules to detect spamware which attempts to evade rDNS/HELO crosschecks by using correct rDNS for HELO; however, if we see HELOs from dynamic IPs using their rDNS names, I bet it's a good rule. idea from CL
Modified: incubator/spamassassin/trunk/rules/70_cvs_rules_under_test.cf
==============================================================================
--- incubator/spamassassin/trunk/rules/70_cvs_rules_under_test.cf (original)
+++ incubator/spamassassin/trunk/rules/70_cvs_rules_under_test.cf Thu Feb 5 19:35:41 2004
@@ -426,6 +426,37 @@
uri T_HTTP_77 /http:\/\/.{0,2}\%77/
describe T_HTTP_77 Contains a URL-encoded hostname (HTTP77)
+# Interesting new feature; spamware HELO'ing, from a dialup IP addr,
+# using that IP's rDNS entry. We can catch this easily.
+
+# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
+# c-66-176-16-108.se.client2.attbi.com [66.176.16.108]
+# c-67-168-174-61.client.comcast.net [67.168.174.61]
+header T_HELO_DYNAMIC_IPADDR X-Spam-Relays-Untrusted =~ / helo=[^\.]+\d+\D\d+\D\d+\D\d+\D[^\.]*\.\S+\.\S+/i
+# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
+header T_HELO_DYNAMIC_RR X-Spam-Relays-Untrusted =~ / helo=\S*(?:docsis|cable|dsl|adsl|dhcp|cpe)\S*\d+\D+\d+/i
+# fia83-8.dsl.hccnet.nl [62.251.8.83]
+# fia160-115-100.dsl.hccnet.nl [80.100.115.160]
+header T_HELO_DYNAMIC_HCC X-Spam-Relays-Untrusted =~ / helo=\S*\d+\D+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i
+# f88114.upc-f.chello.nl [80.56.88.114]
+header T_HELO_DYNAMIC_CHELLO X-Spam-Relays-Untrusted =~ / helo=\S+upc-f\.chello\.nl/i
+# h0002a5d76857.ne.client2.attbi.com [65.96.12.59]
+header T_HELO_DYNAMIC_ATTBI X-Spam-Relays-Untrusted =~ / helo=\S+\d+\S+\.client2\.attbi\.com/i
+# pcp04024417pcs.toresd01.pa.comcast.net [68.86.206.126]
+# bgp542174bgs.ewndsr01.nj.comcast.net[68.38.144.91]
+header T_HELO_DYNAMIC_COMCAST X-Spam-Relays-Untrusted =~ / helo=(?:pcp|bgp)\S+(?:pcs|bgs)\.comcast\.net/i
+# CPE0004e2372711-CM000a73666706.cpe.net.cable.rogers.com
+# CPE00e0184f0eba-CM014490118324.cpe.net.cable.rogers.com [24.43.109.140]
+header T_HELO_DYNAMIC_ROGERS X-Spam-Relays-Untrusted =~ / helo=CPE\d+\S+\.rogers\.com/i
+# ca-morpark-cuda1-zone7-b-159.vnnyca.adelphia.net[67.23.129.159]
+# tn-greenvillecuda1cable7a-36.atlaga.adelphia.net [68.171.113.36]
+# ky-richmond2a-123.rhmdky.adelphia.net [68.71.36.123]
+# ny-lackawannacadent4-chtwga3a-b-117.buf.adelphia.net [68.71.205.117]
+# fl-edel-u2-c3c-233.pbc.adelphia.net [68.64.89.233]
+header T_HELO_DYNAMIC_ADELPHIA X-Spam-Relays-Untrusted =~ / helo=[a-z]{2}-\S+-\d{1,3}\.[a-z]{3,8}\.adelphia\.net/i
+# pD9E4F89F.dip.t-dialin.net [217.228.248.159]
+header T_HELO_DYNAMIC_DIALIN X-Spam-Relays-Untrusted =~ / helo=[a-z][A-F0-9]+\.dip\./
+
# bug 2992: Proposed new rules, Martin Radford
header T_RCVD_DOUBLE_IP Received =~ /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with HTTP;/
describe T_RCVD_DOUBLE_IP Bulk email fingerprint (double IP) found
Date: Thu Feb 5 19:35:41 2004
New Revision: 6528
Modified:
incubator/spamassassin/trunk/rules/70_cvs_rules_under_test.cf
Log:
trying out some new rules to detect spamware which attempts to evade rDNS/HELO crosschecks by using correct rDNS for HELO; however, if we see HELOs from dynamic IPs using their rDNS names, I bet it's a good rule. idea from CL
Modified: incubator/spamassassin/trunk/rules/70_cvs_rules_under_test.cf
==============================================================================
--- incubator/spamassassin/trunk/rules/70_cvs_rules_under_test.cf (original)
+++ incubator/spamassassin/trunk/rules/70_cvs_rules_under_test.cf Thu Feb 5 19:35:41 2004
@@ -426,6 +426,37 @@
uri T_HTTP_77 /http:\/\/.{0,2}\%77/
describe T_HTTP_77 Contains a URL-encoded hostname (HTTP77)
+# Interesting new feature; spamware HELO'ing, from a dialup IP addr,
+# using that IP's rDNS entry. We can catch this easily.
+
+# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
+# c-66-176-16-108.se.client2.attbi.com [66.176.16.108]
+# c-67-168-174-61.client.comcast.net [67.168.174.61]
+header T_HELO_DYNAMIC_IPADDR X-Spam-Relays-Untrusted =~ / helo=[^\.]+\d+\D\d+\D\d+\D\d+\D[^\.]*\.\S+\.\S+/i
+# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
+header T_HELO_DYNAMIC_RR X-Spam-Relays-Untrusted =~ / helo=\S*(?:docsis|cable|dsl|adsl|dhcp|cpe)\S*\d+\D+\d+/i
+# fia83-8.dsl.hccnet.nl [62.251.8.83]
+# fia160-115-100.dsl.hccnet.nl [80.100.115.160]
+header T_HELO_DYNAMIC_HCC X-Spam-Relays-Untrusted =~ / helo=\S*\d+\D+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i
+# f88114.upc-f.chello.nl [80.56.88.114]
+header T_HELO_DYNAMIC_CHELLO X-Spam-Relays-Untrusted =~ / helo=\S+upc-f\.chello\.nl/i
+# h0002a5d76857.ne.client2.attbi.com [65.96.12.59]
+header T_HELO_DYNAMIC_ATTBI X-Spam-Relays-Untrusted =~ / helo=\S+\d+\S+\.client2\.attbi\.com/i
+# pcp04024417pcs.toresd01.pa.comcast.net [68.86.206.126]
+# bgp542174bgs.ewndsr01.nj.comcast.net[68.38.144.91]
+header T_HELO_DYNAMIC_COMCAST X-Spam-Relays-Untrusted =~ / helo=(?:pcp|bgp)\S+(?:pcs|bgs)\.comcast\.net/i
+# CPE0004e2372711-CM000a73666706.cpe.net.cable.rogers.com
+# CPE00e0184f0eba-CM014490118324.cpe.net.cable.rogers.com [24.43.109.140]
+header T_HELO_DYNAMIC_ROGERS X-Spam-Relays-Untrusted =~ / helo=CPE\d+\S+\.rogers\.com/i
+# ca-morpark-cuda1-zone7-b-159.vnnyca.adelphia.net[67.23.129.159]
+# tn-greenvillecuda1cable7a-36.atlaga.adelphia.net [68.171.113.36]
+# ky-richmond2a-123.rhmdky.adelphia.net [68.71.36.123]
+# ny-lackawannacadent4-chtwga3a-b-117.buf.adelphia.net [68.71.205.117]
+# fl-edel-u2-c3c-233.pbc.adelphia.net [68.64.89.233]
+header T_HELO_DYNAMIC_ADELPHIA X-Spam-Relays-Untrusted =~ / helo=[a-z]{2}-\S+-\d{1,3}\.[a-z]{3,8}\.adelphia\.net/i
+# pD9E4F89F.dip.t-dialin.net [217.228.248.159]
+header T_HELO_DYNAMIC_DIALIN X-Spam-Relays-Untrusted =~ / helo=[a-z][A-F0-9]+\.dip\./
+
# bug 2992: Proposed new rules, Martin Radford
header T_RCVD_DOUBLE_IP Received =~ /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with HTTP;/
describe T_RCVD_DOUBLE_IP Bulk email fingerprint (double IP) found