Mailing List Archive

Meta for bogus MIME with DKIM valid?
I've been getting a bunch of FNs lately that are managing to avoid my Bayes DB. Invariably, they ALL seem to hit on BOGUS_MIME_VERSION (which I don't know whether is standard, but I implemented it locally and would recommend it in the distro if it's not there already), and it seems like most of them are ALSO hitting on DKIM_VALID. All of them are _just_ shy of the 5-point threshold.

John or others, might you perhaps sandbox a meta on BOGUS_MIME_VERSION && DKIM_VALID to see if that is worth something against the masscheck? In general, I guess BOGUS_MIME_VERSION might be enough to just be a poison pill, in which case a meta might not be necessary... but I'm curious if it performs even better with meta.

Thanks!

--- Amir
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Fri, 26 Apr 2019 14:05:35 -0600
Amir Caspi wrote:

> I've been getting a bunch of FNs lately that are managing to avoid my
> Bayes DB. Invariably, they ALL seem to hit on BOGUS_MIME_VERSION
> (which I don't know whether is standard, but I implemented it locally
> and would recommend it in the distro if it's not there already),

I think that's from this:

https://readlist.com/lists/incubator.apache.org/spamassassin-users/20/103966.html

where I had:


header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/


it may be better to change that to

/^(?!.*\b1\.0\b).+/


to avoid punishing the form

Mime-Version: (Nosuch Mail 2.0) 1.0

which is valid, though I don't think I've ever seen it (comments are
usually on the right).

IIRC the actual spams didn't have a comment field at all.
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Apr 26, 2019, at 4:51 PM, RW <rwmaillists@googlemail.com> wrote:
>
> header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
>
> it may be better to change that to
>
> /^(?!.*\b1\.0\b).+/
>
> to avoid punishing the form
>
> Mime-Version: (Nosuch Mail 2.0) 1.0
>
> which is valid, though I don't think I've ever seen it (comments are
> usually on the right).

John, so many of my spams are hitting BOGUS_MIME_VERSION that I would imagine it's worth sandboxing and incorporating into the primary ruleset. AFAICT literally zero of my ham hits this rule, while MOST of my current spam does (667 of 869 messages received in the past 30 days to my personal inbox alone).

This would seem to be a pretty good poison pill, and although I imagine you may not want poison pills within the primary ruleset, maybe it'll score high enough (like BAYES_99) that it'll push even otherwise-low-scoring spam over.

The reason I'm bringing this up again is that I still get a bunch of spam that hits BAYES_50 and doesn't have enough other spammy markers -- too early to have been caught by URIBLs and very few, if any, other content-rule hits -- but does hit BOGUS_MIME_VERSION. But my local score for this is (currently) only 3.0, so these spams get missed. Many of these spams are also DKIM_VALID_AU/EF, so I wonder if that would be a good meta. I don't know why they're hitting BAYES_50 rather than higher (I train my DB pretty well... but this makes me doubt that!), nor why they don't hit any other content rules... they're trying to obfuscate by encoding the spammiest words using HTML entities but I thought that was taken care of via normalize_charset...

Happy to provide some spamples if you need them.

Locally I'll probably increase this marker to a score of 4.0 or possibly even 4.5, since (at least for me) it hits literally zero of my hams (out of 4800+ messages currently in my inbox and another 1100+ hams in my trash -- the latter is only from the past 30 days). [.ETA: I actually increased to 4.0 a couple of days ago and it's helped, but some still slip by. I think 4.5 might be a better value.]

Thanks!

--- Amir
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Thu, 16 May 2019, Amir Caspi wrote:

> On Apr 26, 2019, at 4:51 PM, RW <rwmaillists@googlemail.com> wrote:
>>
>> header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
>>
>> it may be better to change that to
>>
>> /^(?!.*\b1\.0\b).+/
>>
>> to avoid punishing the form
>>
>> Mime-Version: (Nosuch Mail 2.0) 1.0
>>
>> which is valid, though I don't think I've ever seen it (comments are
>> usually on the right).
>
> John, so many of my spams are hitting BOGUS_MIME_VERSION that I would
> imagine it's worth sandboxing and incorporating into the primary
> ruleset.

I've added both versions as unscored rules so we can see how they perform.

> This would seem to be a pretty good poison pill, and although I imagine
> you may not want poison pills within the primary ruleset,

They are generally not a great idea.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The premise of gun control in America is that rural conservatives
must be disarmed because urban leftists are violent and predatory.
-- Grumpy Old Fart @ TSM
-----------------------------------------------------------------------
777 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Thu, 16 May 2019, John Hardin wrote:

> On Thu, 16 May 2019, Amir Caspi wrote:
>
>> On Apr 26, 2019, at 4:51 PM, RW <rwmaillists@googlemail.com> wrote:
>>>
>>> header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
>>>
>>> it may be better to change that to
>>>
>>> /^(?!.*\b1\.0\b).+/
>>>
>>> to avoid punishing the form
>>>
>>> Mime-Version: (Nosuch Mail 2.0) 1.0
>>>
>>> which is valid, though I don't think I've ever seen it (comments are
>>> usually on the right).
>>
>> John, so many of my spams are hitting BOGUS_MIME_VERSION that I would
>> imagine it's worth sandboxing and incorporating into the primary ruleset.
>
> I've added both versions as unscored rules so we can see how they perform.

Masscheck doesn't think much of them:

https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_01/detail
https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_02/detail

The good news is their S/O is 1.00 (not that that means much given the
small hit rate), and the bulk of the spams they hit currently score zero.

We could manually push them with score = 1.000, and let local admins
decide whether to adjust the score.

Opinions solicited.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We have to realize that people who run the government can and do
change. Our society and laws must assume that bad people -
criminals even - will run the government, at least part of the
time. -- John Gilmore
-----------------------------------------------------------------------
8 days until the 75th anniversary of D-Day
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
At work, we looked at this and decided the rule had no merit based on
current mailstreams. Our guess was that the spam run it hit has ended. It
is a deadweight rule.

On Wed, May 29, 2019, 18:05 John Hardin <jhardin@impsec.org> wrote:

> On Thu, 16 May 2019, John Hardin wrote:
>
> > On Thu, 16 May 2019, Amir Caspi wrote:
> >
> >> On Apr 26, 2019, at 4:51 PM, RW <rwmaillists@googlemail.com> wrote:
> >>>
> >>> header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
> >>>
> >>> it may be better to change that to
> >>>
> >>> /^(?!.*\b1\.0\b).+/
> >>>
> >>> to avoid punishing the form
> >>>
> >>> Mime-Version: (Nosuch Mail 2.0) 1.0
> >>>
> >>> which is valid, though I don't think I've ever seen it (comments are
> >>> usually on the right).
> >>
> >> John, so many of my spams are hitting BOGUS_MIME_VERSION that I would
> >> imagine it's worth sandboxing and incorporating into the primary
> ruleset.
> >
> > I've added both versions as unscored rules so we can see how they
> perform.
>
> Masscheck doesn't think much of them:
>
>
> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_01/detail
>
> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_02/detail
>
> The good news is their S/O is 1.00 (not that that means much given the
> small hit rate), and the bulk of the spams they hit currently score zero.
>
> We could manually push them with score = 1.000, and let local admins
> decide whether to adjust the score.
>
> Opinions solicited.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> We have to realize that people who run the government can and do
> change. Our society and laws must assume that bad people -
> criminals even - will run the government, at least part of the
> time. -- John Gilmore
> -----------------------------------------------------------------------
> 8 days until the 75th anniversary of D-Day
>
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
I’m surprised, a huge percentage of the spam we get hits this rule. I am happy to submit spamples, but it is a very big spam indicator for our little server.

--- Amir
thumbed via iPhone

> On May 29, 2019, at 6:10 PM, Kevin A. McGrail <kmcgrail@apache.org> wrote:
>
> At work, we looked at this and decided the rule had no merit based on current mailstreams. Our guess was that the spam run it hit has ended. It is a deadweight rule.
>
>> On Wed, May 29, 2019, 18:05 John Hardin <jhardin@impsec.org> wrote:
>> On Thu, 16 May 2019, John Hardin wrote:
>>
>> > On Thu, 16 May 2019, Amir Caspi wrote:
>> >
>> >> On Apr 26, 2019, at 4:51 PM, RW <rwmaillists@googlemail.com> wrote:
>> >>>
>> >>> header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
>> >>>
>> >>> it may be better to change that to
>> >>>
>> >>> /^(?!.*\b1\.0\b).+/
>> >>>
>> >>> to avoid punishing the form
>> >>>
>> >>> Mime-Version: (Nosuch Mail 2.0) 1.0
>> >>>
>> >>> which is valid, though I don't think I've ever seen it (comments are
>> >>> usually on the right).
>> >>
>> >> John, so many of my spams are hitting BOGUS_MIME_VERSION that I would
>> >> imagine it's worth sandboxing and incorporating into the primary ruleset.
>> >
>> > I've added both versions as unscored rules so we can see how they perform.
>>
>> Masscheck doesn't think much of them:
>>
>> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_01/detail
>> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_02/detail
>>
>> The good news is their S/O is 1.00 (not that that means much given the
>> small hit rate), and the bulk of the spams they hit currently score zero.
>>
>> We could manually push them with score = 1.000, and let local admins
>> decide whether to adjust the score.
>>
>> Opinions solicited.
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> -----------------------------------------------------------------------
>> We have to realize that people who run the government can and do
>> change. Our society and laws must assume that bad people -
>> criminals even - will run the government, at least part of the
>> time. -- John Gilmore
>> -----------------------------------------------------------------------
>> 8 days until the 75th anniversary of D-Day
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
I'd be interested in seeing a spample or two. We have virtually no hits
but if it's in the wild, that changes my opinion. The key thing I would
want to know is does this rule push it over the edge or is it already
scoring a bazillion and this just adds to it?
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Wed, May 29, 2019 at 7:44 PM Amir Caspi <cepheid@3phase.com> wrote:

> I’m surprised, a huge percentage of the spam we get hits this rule. I am
> happy to submit spamples, but it is a very big spam indicator for our
> little server.
>
> --- Amir
> thumbed via iPhone
>
> On May 29, 2019, at 6:10 PM, Kevin A. McGrail <kmcgrail@apache.org> wrote:
>
> At work, we looked at this and decided the rule had no merit based on
> current mailstreams. Our guess was that the spam run it hit has ended. It
> is a deadweight rule.
>
> On Wed, May 29, 2019, 18:05 John Hardin <jhardin@impsec.org> wrote:
>
>> On Thu, 16 May 2019, John Hardin wrote:
>>
>> > On Thu, 16 May 2019, Amir Caspi wrote:
>> >
>> >> On Apr 26, 2019, at 4:51 PM, RW <rwmaillists@googlemail.com> wrote:
>> >>>
>> >>> header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
>> >>>
>> >>> it may be better to change that to
>> >>>
>> >>> /^(?!.*\b1\.0\b).+/
>> >>>
>> >>> to avoid punishing the form
>> >>>
>> >>> Mime-Version: (Nosuch Mail 2.0) 1.0
>> >>>
>> >>> which is valid, though I don't think I've ever seen it (comments are
>> >>> usually on the right).
>> >>
>> >> John, so many of my spams are hitting BOGUS_MIME_VERSION that I would
>> >> imagine it's worth sandboxing and incorporating into the primary
>> ruleset.
>> >
>> > I've added both versions as unscored rules so we can see how they
>> perform.
>>
>> Masscheck doesn't think much of them:
>>
>>
>> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_01/detail
>>
>> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_02/detail
>>
>> The good news is their S/O is 1.00 (not that that means much given the
>> small hit rate), and the bulk of the spams they hit currently score zero.
>>
>> We could manually push them with score = 1.000, and let local admins
>> decide whether to adjust the score.
>>
>> Opinions solicited.
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> -----------------------------------------------------------------------
>> We have to realize that people who run the government can and do
>> change. Our society and laws must assume that bad people -
>> criminals even - will run the government, at least part of the
>> time. -- John Gilmore
>> -----------------------------------------------------------------------
>> 8 days until the 75th anniversary of D-Day
>>
>
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
The reason I brought this issue up on list a couple weeks back is because almost all of my uncaught (FN) spam hits that rule and almost nothing else. Maybe my domain is in the beginning of the popular snowshoe lists. In principle my Bayes should catch these guys but it doesn’t, and I don’t know why... when I train the DB and then re-run the messages, they hit BAYES_99, so clearly the training is working... maybe the messages are just changing enough each time that they don’t hit, I dunno, but it’s very frustrating.

Sometimes this is just an add-on to a big scorer, if it’s late enough that RBLs have gotten hit by the bot run... but early in the run this is the only rule that fires reliably in my system with these spams. I’ve scored it 4.5 locally.

I’ll post spamples later tonight. (And if anyone can debug why my Bayes doesn’t want to pick these up, that’d be awesome... but maybe it’s just a frequency problem.)

Thanks.

--- Amir
thumbed via iPhone

> On May 29, 2019, at 6:47 PM, Kevin A. McGrail <kmcgrail@apache.org> wrote:
>
> I'd be interested in seeing a spample or two. We have virtually no hits but if it's in the wild, that changes my opinion. The key thing I would want to know is does this rule push it over the edge or is it already scoring a bazillion and this just adds to it?
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>
>> On Wed, May 29, 2019 at 7:44 PM Amir Caspi <cepheid@3phase.com> wrote:
>> I’m surprised, a huge percentage of the spam we get hits this rule. I am happy to submit spamples, but it is a very big spam indicator for our little server.
>>
>> --- Amir
>> thumbed via iPhone
>>
>>> On May 29, 2019, at 6:10 PM, Kevin A. McGrail <kmcgrail@apache.org> wrote:
>>>
>>> At work, we looked at this and decided the rule had no merit based on current mailstreams. Our guess was that the spam run it hit has ended. It is a deadweight rule.
>>>
>>>> On Wed, May 29, 2019, 18:05 John Hardin <jhardin@impsec.org> wrote:
>>>> On Thu, 16 May 2019, John Hardin wrote:
>>>>
>>>> > On Thu, 16 May 2019, Amir Caspi wrote:
>>>> >
>>>> >> On Apr 26, 2019, at 4:51 PM, RW <rwmaillists@googlemail.com> wrote:
>>>> >>>
>>>> >>> header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
>>>> >>>
>>>> >>> it may be better to change that to
>>>> >>>
>>>> >>> /^(?!.*\b1\.0\b).+/
>>>> >>>
>>>> >>> to avoid punishing the form
>>>> >>>
>>>> >>> Mime-Version: (Nosuch Mail 2.0) 1.0
>>>> >>>
>>>> >>> which is valid, though I don't think I've ever seen it (comments are
>>>> >>> usually on the right).
>>>> >>
>>>> >> John, so many of my spams are hitting BOGUS_MIME_VERSION that I would
>>>> >> imagine it's worth sandboxing and incorporating into the primary ruleset.
>>>> >
>>>> > I've added both versions as unscored rules so we can see how they perform.
>>>>
>>>> Masscheck doesn't think much of them:
>>>>
>>>> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_01/detail
>>>> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_02/detail
>>>>
>>>> The good news is their S/O is 1.00 (not that that means much given the
>>>> small hit rate), and the bulk of the spams they hit currently score zero.
>>>>
>>>> We could manually push them with score = 1.000, and let local admins
>>>> decide whether to adjust the score.
>>>>
>>>> Opinions solicited.
>>>>
>>>> --
>>>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>>>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>>>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>>>> -----------------------------------------------------------------------
>>>> We have to realize that people who run the government can and do
>>>> change. Our society and laws must assume that bad people -
>>>> criminals even - will run the government, at least part of the
>>>> time. -- John Gilmore
>>>> -----------------------------------------------------------------------
>>>> 8 days until the 75th anniversary of D-Day
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Wed, 29 May 2019 19:10:38 -0400
Kevin A. McGrail wrote:

> At work, we looked at this and decided the rule had no merit based on
> current mailstreams. Our guess was that the spam run it hit has
> ended. It is a deadweight rule.

It's also extremely lightweight.
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
Fair enough. Happy to look at spamples but I've seen virtually nothing in
the wild for this.
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Thu, May 30, 2019 at 10:58 AM RW <rwmaillists@googlemail.com> wrote:

> On Wed, 29 May 2019 19:10:38 -0400
> Kevin A. McGrail wrote:
>
> > At work, we looked at this and decided the rule had no merit based on
> > current mailstreams. Our guess was that the spam run it hit has
> > ended. It is a deadweight rule.
>
> It's also extremely lightweight.
>
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
Hi Kevin,

Here are some spamples -- I've specifically chosen the ones that did NOT score enough through other means to get tagged, i.e., these are false negatives. Note that many of them have valid DKIM and hit no other markers. (The spample will NOT pass DKIM because headers have been modified for anonymity.) If you run them through NOW you'll probably find they hit Razor and Pyzor and various other things... but they clearly didn't at the time of receipt. Most of them score 4.6 unless they manage to have enough Bayes "poison" to score lower. (And I STILL don't know how they keep hitting only BAYES_50...)

https://pastebin.com/BQH3JgWD
https://pastebin.com/nXtZtUdm
https://pastebin.com/tBQt1Raw
https://pastebin.com/wEGvcs73
https://pastebin.com/nuFJ48k0
https://pastebin.com/ykCuEPNQ
** This last one I received from two different servers within a minute of each other. The first one got nailed by SPFBL so it got marked as spam, but only because the combo of SPFBL (2.2) and local BOGUS_MIME_VERSION (4.0) pushed it over threshold. This spample, the second of the two, didn't get nailed because the relay wasn't in SPFBL, so BOGUS_MIME_VERSION wasn't enough by itself at a score of 4.0, although it WOULD have been enough at a score of 4.5.

I should also mention I've seen at least a few recent ones that hit Mailscanner's "Eudora long-MIME-boundary attack" rule. I'm not including those as spamples since they got sanitized by MailScanner so aren't useful, but I figured it was worth mentioning.

My feeling is that BOGUS_MIME_VERSION is incredibly useful during the early hits of snowshoers, before the RBLs, URIBLs, and content hash DBs can catch up. Since it would seem to be 100% spam and 0% ham, I think scoring it very highly (4+ points) would be both safe and useful -- it will help nix these early hits but won't hinder anything else.

From my experience and these spamples, where most of them are scoring 4.6 (with 4.0 of that from BOGUS_MIME_VERSION), an optimal score would be in the range of 4.5 to 4.9 ... that would push these 4.6s to 5.1 or higher.

I've got MANY other examples in the Junk folders on my server, and I would be happy to send them to you privately if needed.

Cheers.

--- Amir

On May 30, 2019, at 9:24 AM, Kevin A. McGrail <kmcgrail@apache.org> wrote:
>
> Fair enough. Happy to look at spamples but I've seen virtually nothing in the wild for this.
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
The rules looks to be performing better in masscheck after the updates to
the corpus checking:

https://ruleqa.spamassassin.org/20190604-r1860591-n/__BOGUS_MIME_VER_01/detail
https://ruleqa.spamassassin.org/20190604-r1860591-n/__BOGUS_MIME_VER_02/detail

Certainly worth letting QA do it's thing and autoscore?

On Tue, 4 Jun 2019 at 02:10, Amir Caspi <cepheid@3phase.com> wrote:

> Hi Kevin,
>
> Here are some spamples -- I've specifically chosen the ones that did NOT
> score enough through other means to get tagged, i.e., these are false
> negatives. Note that many of them have valid DKIM and hit no other
> markers. (The spample will NOT pass DKIM because headers have been
> modified for anonymity.) If you run them through NOW you'll probably find
> they hit Razor and Pyzor and various other things... but they clearly
> didn't at the time of receipt. Most of them score 4.6 unless they manage
> to have enough Bayes "poison" to score lower. (And I STILL don't know how
> they keep hitting only BAYES_50...)
>
> https://pastebin.com/BQH3JgWD
> https://pastebin.com/nXtZtUdm
> https://pastebin.com/tBQt1Raw
> https://pastebin.com/wEGvcs73
> https://pastebin.com/nuFJ48k0
> https://pastebin.com/ykCuEPNQ
> ** This last one I received from two different servers within a minute of
> each other. The first one got nailed by SPFBL so it got marked as spam,
> but only because the combo of SPFBL (2.2) and local BOGUS_MIME_VERSION
> (4.0) pushed it over threshold. This spample, the second of the two,
> didn't get nailed because the relay wasn't in SPFBL, so BOGUS_MIME_VERSION
> wasn't enough by itself at a score of 4.0, although it WOULD have been
> enough at a score of 4.5.
>
> I should also mention I've seen at least a few recent ones that hit
> Mailscanner's "Eudora long-MIME-boundary attack" rule. I'm not including
> those as spamples since they got sanitized by MailScanner so aren't useful,
> but I figured it was worth mentioning.
>
> My feeling is that BOGUS_MIME_VERSION is incredibly useful during the
> early hits of snowshoers, before the RBLs, URIBLs, and content hash DBs can
> catch up. Since it would seem to be 100% spam and 0% ham, I think scoring
> it very highly (4+ points) would be both safe and useful -- it will help
> nix these early hits but won't hinder anything else.
>
> From my experience and these spamples, where most of them are scoring 4.6
> (with 4.0 of that from BOGUS_MIME_VERSION), an optimal score would be in
> the range of 4.5 to 4.9 ... that would push these 4.6s to 5.1 or higher.
>
> I've got MANY other examples in the Junk folders on my server, and I would
> be happy to send them to you privately if needed.
>
> Cheers.
>
> --- Amir
>
> On May 30, 2019, at 9:24 AM, Kevin A. McGrail <kmcgrail@apache.org> wrote:
>
>
> Fair enough. Happy to look at spamples but I've seen virtually nothing in
> the wild for this.
>
>
>
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Jun 4, 2019, at 1:24 PM, Paul Stead <paul.stead@gmail.com> wrote:
>
> Certainly worth letting QA do it's thing and autoscore?

My worry about autoscore is that if it looks at network tests, particularly RBLs, then it may reduce the value of the rule. The primary value of this rule is for early botnet runs before the relays and/or URIs are caught by the RBLs, and for content that doesn't hit any/many other rules (such as all of the spamples I posted). After only a few minutes, the RBLs pick up these runs and the rule becomes relatively less important when considering the network tests... but it's a REALLY good spamminess indicator in isolation. (The same argument applies with/without Bayes.)

So, if autoscore gives it a high value without network/bayes tests but a low value with network/bayes tests, then my strong recommendation would be to give it a single atomic score rather than network/non-network scoreset.

Locally, I've got the score at 4.0, and will be increasing it to 4.5 shortly. At least with my spamset (per the spamples I posted), a score of 4.5 seems to be the "magic" value that should catch almost all the FNs (at least the ones that hit BAYES_50 ... the ones that hit BAYES_00 might require more aggression).

Cheers.

--- Amir
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Jun 4, 2019, at 2:11 PM, Amir Caspi <Cepheid@3phase.com> wrote:
>
> Locally, I've got the score at 4.0, and will be increasing it to 4.5 shortly. At least with my spamset (per the spamples I posted), a score of 4.5 seems to be the "magic" value that should catch almost all the FNs (at least the ones that hit BAYES_50 ... the ones that hit BAYES_00 might require more aggression).

I'm getting a ton of zero-hour snowshoe spam today that's scoring BAYES_50 and hitting no other rules besides BOGUS_MIME_VERSION. These all score 4.6 with BOGUS_MIME_VERSION = 4.0. I'm going to increase locally to 4.5, and that should get rid of these for me... but I think we should really expedite deployment of this rule for production, I expect I'm not the only one this affects...

Cheers.

--- Amir
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Wed, 12 Jun 2019, Amir Caspi wrote:

> On Jun 4, 2019, at 2:11 PM, Amir Caspi <Cepheid@3phase.com> wrote:
>>
>> Locally, I've got the score at 4.0, and will be increasing it to 4.5 shortly. At least with my spamset (per the spamples I posted), a score of 4.5 seems to be the "magic" value that should catch almost all the FNs (at least the ones that hit BAYES_50 ... the ones that hit BAYES_00 might require more aggression).
>
> I'm getting a ton of zero-hour snowshoe spam today that's scoring BAYES_50 and hitting no other rules besides BOGUS_MIME_VERSION. These all score 4.6 with BOGUS_MIME_VERSION = 4.0. I'm going to increase locally to 4.5, and that should get rid of these for me... but I think we should really expedite deployment of this rule for production, I expect I'm not the only one this affects...

Looks like it's suddenly worthwhile in masscheck as well:

https://ruleqa.spamassassin.org/20190612-r1861099-n/__BOGUS_MIME_VER_01/detail
https://ruleqa.spamassassin.org/20190612-r1861099-n/__BOGUS_MIME_VER_02/detail

I'll add a scored rule.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
804 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
We've been refusing mail based on this stupid error for a year and a half
(local rule) and no false positive has ever come to attention. The volume
averages about 50,000 a day here. Yesterday it was 72,000 from
69.16.199.0/24. It comes from 1 to 3 IP subnets each day, changing daily,
except that the spammer does not send on Sundays. I agree that many of them
hit no other rule.


--
Joseph Brennan
Lead, Email and Systems Applications
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Thursday 13 June 2019 at 17:45:02, Joseph Brennan wrote:

> We've been refusing mail based on this stupid error for a year and a half
> (local rule) and no false positive has ever come to attention. The volume
> averages about 50,000 a day here.

What's that as a percentage of total inbound mail?

> Yesterday it was 72,000 from 69.16.199.0/24. It comes from 1 to 3 IP subnets
> each day, changing daily, except that the spammer does not send on Sundays.

That's not something I've ever come across - more spam during US daylight
time, yes, but less spam on Sundays!?

Fascinating.


Antony.

--
Numerous psychological studies over the years have demonstrated that the
majority of people genuinely believe they are not like the majority of people.

Please reply to the list;
please *don't* CC me.
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Thu, Jun 13, 2019 at 3:01 PM Antony Stone <
Antony.Stone@spamassassin.open.source.it> wrote:

> On Thursday 13 June 2019 at 17:45:02, Joseph Brennan wrote:
>
> > We've been refusing mail based on this stupid error for a year and a half
> > (local rule) and no false positive has ever come to attention. The volume
> > averages about 50,000 a day here.
>
> What's that as a percentage of total inbound mail?
>

Ah yes, perspective-- that's of about 1.5 million. But 50,000 is close to
the total
number of students, faculty, and staff at the university.

Sunday is the day of rest, right? Go to church, play with the kids, reboot
the
spam engine...

Joe Brennan
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
Yes, replying to myself.

It just occurred to me that that we refuse mail from hosts in the Spamhaus
lists, so messages from those don't get analyzed by spamassassin. The
50,000 I mentioned is how many were NOT caught that way. I wonder how many
there really are!



--
Joseph Brennan
Lead, Email and Systems Applications
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
I am sorry to say that this spammer seems to have fixed the error. I have
seen none at all for a few weeks. What I *have* seen are heavy spam
barrages once a week that are from similar IP ranges that the spammer used
but without the error. 125,000 today.


On Thu, Jun 13, 2019 at 4:17 PM Joseph Brennan <brennan@columbia.edu> wrote:

> Yes, replying to myself.
>
> It just occurred to me that that we refuse mail from hosts in the Spamhaus
> lists, so messages from those don't get analyzed by spamassassin. The
> 50,000 I mentioned is how many were NOT caught that way. I wonder how many
> there really are!
>
>
>
> --
> Joseph Brennan
> Lead, Email and Systems Applications
>
>
>

--
Joseph Brennan
Lead, Email and Systems Applications
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Jul 8, 2019, at 2:15 PM, Joseph Brennan <brennan@columbia.edu> wrote:
>
> I am sorry to say that this spammer seems to have fixed the error. I have seen none at all for a few weeks. What I *have* seen are heavy spam barrages once a week that are from similar IP ranges that the spammer used but without the error. 125,000 today.

Indeed, I also have not gotten any of these in a while, which is unfortunate because this spammer's "product" unfortunately usually doesn't hit ANY other content rule, including Bayes (WTF), so I'm getting a lot of FN spams with scores of 0.6 or so. Still trying to nail down some other identifying characteristics that can be used for a rule, but coming up empty at the moment.

--- Amir
Re: Meta for bogus MIME with DKIM valid? [ In reply to ]
On Mon, 8 Jul 2019, Joseph Brennan wrote:

> I am sorry to say that this spammer seems to have fixed the error. I have
> seen none at all for a few weeks. What I *have* seen are heavy spam
> barrages once a week that are from similar IP ranges that the spammer used
> but without the error. 125,000 today.

Depending on the IP ranges, it sounds like tarpitting would be a useful
response.

> On Thu, Jun 13, 2019 at 4:17 PM Joseph Brennan <brennan@columbia.edu> wrote:
>
>> Yes, replying to myself.
>>
>> It just occurred to me that that we refuse mail from hosts in the Spamhaus
>> lists, so messages from those don't get analyzed by spamassassin. The
>> 50,000 I mentioned is how many were NOT caught that way. I wonder how many
>> there really are!

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If the rock of doom requires a gentle nudge away from Gaia to
prevent a very bad day for Earthlings, NASA won’t be riding to the
rescue. These days, NASA does dodgy weather research and outreach
programs, not stuff in actual space with rockets piloted by
flinty-eyed men called Buzz. -- Daily Bayonet
-----------------------------------------------------------------------
12 days until the 50th anniversary of Apollo 11 landing on the Moon