Mailing List Archive

On Sat, 21 Feb 2004, Dan Bullock wrote:

>
> I'd like to prevent or give a high score to any email that has a from
> address of *@ebay.com which does not come from an ebay.com email server.
>
> I to do the opposite of what "whitelist_from_rcvd" does.
>
> Is this possible in SA? Does a "blacklist_from_rcvd" function exist?

we here at my domain have many users, using ebay. and i personaly cant
remember of any spam from ebay so far. so why do you want them to get
blacklisted anyway?

regards,
Matthias

My explanation wasn't very well. My intent is to be able to score those
phishing emails that pretend to be ebay emails and ask for their ebay
login etc.

All ebay emails should come from an ebay email server. So I want to
score any email that claims to be from ebay and does not originate from
an ebay email server.
Does that explain my intent a bit better?

Thanks,
Dan



Matthias Fuhrmann wrote:

> On Sat, 21 Feb 2004, Dan Bullock wrote:
>
>
>
>> I'd like to prevent or give a high score to any email that has a from
>> address of *@ebay.com which does not come from an ebay.com email
>> server.
>>
>> I to do the opposite of what "whitelist_from_rcvd" does.
>>
>> Is this possible in SA? Does a "blacklist_from_rcvd" function exist?
>>
>
>
> we here at my domain have many users, using ebay. and i personaly cant
> remember of any spam from ebay so far. so why do you want them to get
> blacklisted anyway?
>
> regards,
> Matthias
>
>
>
>

For example, I can whitelist any email from ebay this way:
whitelist_from_rcvd *@ebay.com ebay.com

But I also want to prevent emails claiming to be from ebay that are not
from their email servers. So something like this would be desired:
blacklist_from_rcvd *@ebay.com ebay.com

So that anything with a from address of *@ebay.com and not from an ebay
server would get flagged.

The problem is I see no reference that a blacklist_from_rcvd type of tag
exists in SA and I don't know of another way to accomplish what I want.

Dan

On Sat, 21 Feb 2004, Dan Bullock wrote:

>
> My explanation wasn't very well. My intent is to be able to score those
> phishing emails that pretend to be ebay emails and ask for their ebay
> login etc.
>
> All ebay emails should come from an ebay email server. So I want to
> score any email that claims to be from ebay and does not originate from
> an ebay email server.
>
> Does that explain my intent a bit better?

yes, it does. but SPF (Sender Policy Framework) isnt yet available within
SA. so i dont have a clue to get those pseudo ebay spammer.
maybe you can use trusted_network on those ebay mx servers, preventing
extra points from these DNS blacklist request.

sorry, not much...

regards,
Matthias

I suppose I could give anything from an ebay mail server +50 points and
score anything from an *@ebay.com email address with say 25 points. I
think that would have the effect I'm looking for. ?

Dan

Matthias Fuhrmann wrote:

>On Sat, 21 Feb 2004, Dan Bullock wrote:
>
>
>
>>My explanation wasn't very well. My intent is to be able to score those
>>phishing emails that pretend to be ebay emails and ask for their ebay
>>login etc.
>>
>>All ebay emails should come from an ebay email server. So I want to
>>score any email that claims to be from ebay and does not originate from
>>an ebay email server.
>>
>>Does that explain my intent a bit better?
>>
>>
>
>yes, it does. but SPF (Sender Policy Framework) isnt yet available within
>SA. so i dont have a clue to get those pseudo ebay spammer.
>maybe you can use trusted_network on those ebay mx servers, preventing
>extra points from these DNS blacklist request.
>
>sorry, not much...
>
>regards,
>Matthias
>
>
>
>

----- Original Message -----
From: "Dan Bullock" <danb-lists@aspitel.com>
To: <spamassassin-users@incubator.apache.org>
Sent: Saturday, February 21, 2004 10:29 AM
Subject: Re: Permitting email only from designated domain server


>
> I suppose I could give anything from an ebay mail server +50 points and
> score anything from an *@ebay.com email address with say 25 points. I
> think that would have the effect I'm looking for. ?
>
> Dan
>
> Matthias Fuhrmann wrote:
>
> >On Sat, 21 Feb 2004, Dan Bullock wrote:
> >
> >
> >
> >>My explanation wasn't very well. My intent is to be able to score those
> >>phishing emails that pretend to be ebay emails and ask for their ebay
> >>login etc.
> >>
> >>All ebay emails should come from an ebay email server. So I want to
> >>score any email that claims to be from ebay and does not originate from
> >>an ebay email server.
> >>
> >>Does that explain my intent a bit better?
> >>
> >>
> >
> >yes, it does. but SPF (Sender Policy Framework) isnt yet available within
> >SA. so i dont have a clue to get those pseudo ebay spammer.
> >maybe you can use trusted_network on those ebay mx servers, preventing
> >extra points from these DNS blacklist request.
> >
> >sorry, not much...
> >
> >regards,
> >Matthias
> >
> >
Try a meta rule - there's lots of help on the rules wiki for the format.
Basically:

header __ NO_EBAY_SERVER blah, blah
header __EBAY_ADDR blah, blah
meta EBAY_PHISH __EBAY_ADDR && __ NO_EBAY_SERVER
description blah, blah
score blah, blah

It should be possible using a set of meta rules in a compound statement.
Here is a sample for the AOL problem that some people were having. I'm
sure the above is no where near correct as I suck as regexp. But this
was pieced together from the stop rules. But the concept should hold
true. You will need to create a separate rule for the from ebay email
addresses that gives them a positive number but this would override that
with a bigger negative number if the below case is valid as well.

header ONLY_BYCM_FORM From =~ / \bebay.com\b/i
describe ONLY_BYCM_FROM FROM AN EBAY USER

header MSGID_FROM_MTA_EBAY Message-Id =~
/<MC\d{1,2}-F{1,2}\w{21,22}\@\S*ebay\.com>/i
describe MSGID_FROM_MTA_EBAY Message-Id was added by a ebay.com relay

meta VALID_EBAY_EMAIL (ONLY_BYCM_FORM && MSGID_FROM_MTA_EBAY )
describe VALID_EBAY_EMAIL Valid ebay senders
score VALID_EBAY_EMAIL -20


Gary Wayne Smith




-----Original Message-----
From: Dan Bullock [mailto:danb-lists@aspitel.com]
Sent: Saturday, February 21, 2004 7:30 AM
To: spamassassin-users@incubator.apache.org
Subject: Re: Permitting email only from designated domain server


I suppose I could give anything from an ebay mail server +50 points and
score anything from an *@ebay.com email address with say 25 points. I
think that would have the effect I'm looking for. ?

Dan

Matthias Fuhrmann wrote:

>On Sat, 21 Feb 2004, Dan Bullock wrote:
>
>
>
>>My explanation wasn't very well. My intent is to be able to score
those
>>phishing emails that pretend to be ebay emails and ask for their ebay
>>login etc.
>>
>>All ebay emails should come from an ebay email server. So I want to
>>score any email that claims to be from ebay and does not originate
from
>>an ebay email server.
>>
>>Does that explain my intent a bit better?
>>
>>
>
>yes, it does. but SPF (Sender Policy Framework) isnt yet available
within
>SA. so i dont have a clue to get those pseudo ebay spammer.
>maybe you can use trusted_network on those ebay mx servers, preventing
>extra points from these DNS blacklist request.
>
>sorry, not much...
>
>regards,
>Matthias
>
>
>
>

Gary Smith wrote:

>It should be possible using a set of meta rules in a compound statement.
>
>

Thank you Gary! Do you happen to have the AOL version of this handy so
I can compare the two?

Dan

p.s. sorry for top-posting earlier

This is the last one that I saw. Someone had a link to a page that had
good information on creating the META based rules but I seemed to have
deleted it. I also can't remember the link to the archive but I know
it's in there as well.

meta AOL_MESSED_UP ( NO_RDNS_DOTCOM_HELO && FAKE_HELO_AOL )
describe AOL_MESSED_UP Let's not compound the felony here
score AOL_MESSED_IP -2


-----Original Message-----
From: Dan Bullock [mailto:danb-lists@aspitel.com]
Sent: Saturday, February 21, 2004 9:35 AM
To: spamassassin-users@incubator.apache.org
Subject: Re: Permitting email only from designated domain server

Gary Smith wrote:

>It should be possible using a set of meta rules in a compound
statement.
>
>

Thank you Gary! Do you happen to have the AOL version of this handy so

I can compare the two?

Dan

p.s. sorry for top-posting earlier

Gary Smith wrote:

>It should be possible using a set of meta rules in a compound statement.
>
>
How about this. +15 for any ebay address, but -100 for an ebay address
that has an MTA of ebay.com ?


# EBAY
header CS_EBAY_FROM From =~ /ebay.com\b/i
describe CS_EBAY_FROM FROM AN EBAY ADDRESS
score CS_EBAY_FROM 15.0
whitelist_from_rcvd *@ebay.com ebay.com

On Saturday 21 February 2004 18:39, Dan Bullock wrote:
> Gary Smith wrote:
> >It should be possible using a set of meta rules in a compound statement.
>
> How about this. +15 for any ebay address, but -100 for an ebay address
> that has an MTA of ebay.com ?
>
>
> # EBAY
> header CS_EBAY_FROM From =~ /ebay.com\b/i
> describe CS_EBAY_FROM FROM AN EBAY ADDRESS
> score CS_EBAY_FROM 15.0
> whitelist_from_rcvd *@ebay.com ebay.com

How far back in the headers does that check? I've been seeing spam where the
first hop is a faked received from valid_ebay_ip by the spammer's host...

On Sat, Feb 21, 2004 at 08:25:12PM +0000, Duncan Hill wrote:
> >
> > whitelist_from_rcvd *@ebay.com ebay.com
>
> How far back in the headers does that check? I've been seeing spam where the
> first hop is a faked received from valid_ebay_ip by the spammer's host...

SA assumes that hosts named in trusted_networks (i.e. those hosts which
accept mail on your behalf) can be relied upon to report the correct
incoming IP address, and checks that the last untrusted hop matches the
third term in the rule. Doesn't matter if a spammer fakes it further
down the Received lines, it's the one where they deliver it to your
network that counts.

Nick

Nick Leverton wrote:

>SA assumes that hosts named in trusted_networks (i.e. those hosts which
>accept mail on your behalf) can be relied upon to report the correct
>incoming IP address, and checks that the last untrusted hop matches the
>third term in the rule. Doesn't matter if a spammer fakes it further
>down the Received lines, it's the one where they deliver it to your
>network that counts.
>
>Nick
>
>
>

This rule set seems to work pretty, in the limited time I've tested it.
I've now used the same rule set for paypal, ebay, aol, equifax, chase,
and etrade.

It actually would be nice to have a broad rule that says, "if the domain
in the FROM address does not have a header with a valid/matching reverse
IP lookup in the header then score with -x points."

Dan

From: "Dan Bullock" <danb-lists@aspitel.com>

> Nick Leverton wrote:
>
> >SA assumes that hosts named in trusted_networks (i.e. those hosts which
> >accept mail on your behalf) can be relied upon to report the correct
> >incoming IP address, and checks that the last untrusted hop matches the
> >third term in the rule. Doesn't matter if a spammer fakes it further
> >down the Received lines, it's the one where they deliver it to your
> >network that counts.
> >
> >Nick
> >
> >
> >
>
> This rule set seems to work pretty, in the limited time I've tested it.
> I've now used the same rule set for paypal, ebay, aol, equifax, chase,
> and etrade.
>
> It actually would be nice to have a broad rule that says, "if the domain
> in the FROM address does not have a header with a valid/matching reverse
> IP lookup in the header then score with -x points."

Can variables be assigned and used within rules somehow? That would be the
easy solution. It allows you to make macros.

{^_^}

On Sat, Feb 21, 2004 at 03:58:34PM -0500, Dan Bullock wrote:
>
> It actually would be nice to have a broad rule that says, "if the domain
> in the FROM address does not have a header with a valid/matching reverse
> IP lookup in the header then score with -x points."

Unfortunately that would catch a vast amount of genuine mail too.
I'd venture to guess that most domains are hosted by ISPs on multi-domain
servers; only larger firms bother to run their own. And whilst I think
you can return several results to a reverse IP lookup, almost no ISP
actually does that. It also has implications for people who get their
IP connectivity from other ISPs than the one hosting their mail (me,
for instance :)).

What you're trying to do, though, is being addressed by the SPF project.
If you search the archives you'll find some of the problems and solutions
that people are seeking to overcome.

Nick

On Mon, 2004-02-23 at 03:52, Nick Leverton wrote:

> What you're trying to do, though, is being addressed by the SPF project.
> If you search the archives you'll find some of the problems and solutions
> that people are seeking to overcome.

...unfortunately neither paypal nor ebay are publishing SPF records.

Fire up your mail clients and start pestering them to do this!

--
John Hardin KA7OHZ
Internal Systems Administrator/Guru voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute an
emergency on my part.
- David W. Barts in a.s.r
-----------------------------------------------------------------------
7 days until ICQ Corp goes away - have you installed Jabber yet?