Mailing List Archive

Start here: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WritingRules

Then try something like:
header __Custom_NotFromPaypal1 Subject =~ /paypal/i
header __Custom_NotFromPaypal2 Received !~ /paypal/i
meta Custom_NotFromPaypal ( __Custom_NotFromPaypal1 && __Custom_NotFromPaypal2 )
describe Custom_NotFromPaypal Subject line says "PayPal" but it is not mailed from PayPal's servers
score Custom_NotFromPaypal 4.50

Season to suit…

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: Daryl Rose <rosede12@gmail.com>
Sent: Monday, June 15, 2020 3:19 PM
To: users@spamassassin.apache.org
Subject: How to write a rule to block phishing?

EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS
________________________________________
So, I received an email from "mailto:service.intl@paypal.com", Subject "Your PayPaI account has been limited".   This is clearly a phishing attempt and not a legitimate email from paypal.  

I analyzed the headers, the message comes from a server here in the United States, the spam score is 5, and Spamassassian says "No Spam".  Yea!!   Only not yea, because it's clearly a phishing attempt.

Normally I just add the email address to a http://blacklist_from.cf file and stop it that way, but adding "mailto:service.intl@paypal.com" to the blackfrom list would block any legitimate email from PayPal. 

So how does a person write a rule for something like this?  I've never written rules before and not really sure how to.

Thanks

Daryl

On Mon, 15 Jun 2020, Daryl Rose wrote:

> So, I received an email from "service.intl@paypal.com", Subject "Your
> PayPaI account has been limited". This is clearly a phishing attempt and
> not a legitimate email from paypal.
>
> I analyzed the headers, the message comes from a server here in the United
> States, the spam score is 5, and Spamassassian says "No Spam". Yea!!
> Only not yea, because it's clearly a phishing attempt.
>
> Normally I just add the email address to a blacklist_from.cf file and stop
> it that way, but adding "service.intl@paypal.com" to the blackfrom list
> would block any legitimate email from PayPal.
>
> So how does a person write a rule for something like this? I've never
> written rules before and not really sure how to.

All legitimate paypal email is SPF/DKIM signed.

A standard anti-phishing approach is to add a high positive score for a
paypal from address, and then add paypal.com to the authenticated
whitelist:

whitelist_auth *@paypal.com
blacklist_from *@paypal.com
whitelist_auth *@*.paypal.com
blacklist_from *@*.paypal.com

Do this for bank domains, too.

Bayes (after training) should help a lot with those if they contain
obfuscated words.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
After ten years (1998-2008) of draconian gun control in the State
of Massachusetts, the results are in: firearms-related assaults up
78%, firearms-related homicides up 67%, assault-related emergency
room visits up 331%. Gun Control does not reduce violent crime.
-----------------------------------------------------------------------
3 days until SWMBO's Birthday

That's odd. The fraud emails we have gotten do not use an actual PayPal
address as the sender (they have been using @.pp.com) and that is a
legitimate address used to notify users when their accounts have been
limited, which does happen and they have an FAQ regarding that. One of ours
got limited once because we hadn't logged in for a long time. If it's legit
it should list the reason and you can go to the actual PayPal site and work
it out from there

Just saying.

Rick

_____

From: Daryl Rose [mailto:rosede12@gmail.com]
Sent: Monday, June 15, 2020 7:19 PM
To: users@spamassassin.apache.org
Subject: How to write a rule to block phishing?


So, I received an email from "service.intl@paypal.com", Subject "Your PayPaI
account has been limited". This is clearly a phishing attempt and not a
legitimate email from paypal.

I analyzed the headers, the message comes from a server here in the United
States, the spam score is 5, and Spamassassian says "No Spam". Yea!! Only
not yea, because it's clearly a phishing attempt.

Normally I just add the email address to a blacklist_from.cf file and stop
it that way, but adding "service.intl@paypal.com" to the blackfrom list
would block any legitimate email from PayPal.

So how does a person write a rule for something like this? I've never
written rules before and not really sure how to.

Thanks

Daryl

On Mon, 15 Jun 2020 18:18:53 -0500
Daryl Rose wrote:

> So, I received an email from "service.intl@paypal.com", Subject "Your
> PayPaI account has been limited". This is clearly a phishing
> attempt and not a legitimate email from paypal.
>
> I analyzed the headers, the message comes from a server here in the
> United States, the spam score is 5, and Spamassassian says "No Spam".
> Yea!! Only not yea, because it's clearly a phishing attempt.

Presumably because you increased the threshold.

On 15 Jun 2020, at 17:18, Daryl Rose <rosede12@gmail.com> wrote:
> I analyzed the headers, the message comes from a server here in the United States, the spam score is 5, and Spamassassian says "No Spam".

SpamAssassin thinks the mail is spam if it scored 5. Someone (you?) has changed the default spam score from 5.0 to some other number.

Doing this will result in spam being marked as not spam.




--
The whole thing that makes a mathematician's life worthwhile is that
he gets the grudging admiration of three or four colleagues

I thought that a 5 was an average number and lowering it improves spam
hits, I may end up getting legitimate emails flagged as spam but I can add
the address to a whitefrom_list. I read that in more than one location.

I believe that I have the required score set to 2.0 or 2.5, or somewhere
around that. I'm not able to look at this moment. But you're saying that
if I change it back to the default score of 5, then I'll catch more spam?

Thanks

Daryl

On Thu, Jun 18, 2020 at 11:02 AM @lbutlr <kremels@kreme.com> wrote:

> On 15 Jun 2020, at 17:18, Daryl Rose <rosede12@gmail.com> wrote:
> > I analyzed the headers, the message comes from a server here in the
> United States, the spam score is 5, and Spamassassian says "No Spam".
>
> SpamAssassin thinks the mail is spam if it scored 5. Someone (you?) has
> changed the default spam score from 5.0 to some other number.
>
> Doing this will result in spam being marked as not spam.
>
>
>
>
> --
> The whole thing that makes a mathematician's life worthwhile is that
> he gets the grudging admiration of three or four colleagues
>
>
>

On Jun 19, 2020, at 06:06, Daryl Rose <rosede12@gmail.com> wrote:
> I thought that a 5 was an average number and lowering it improves spam hits, I may end up getting legitimate emails flagged as spam but I can add the address to a whitefrom_list. I read that in more than one location.
>
> I believe that I have the required score set to 2.0 or 2.5, or somewhere around that. I'm not able to look at this moment. But you're saying that if I change it back to the default score of 5, then I'll catch more spam?

You said a message scored 5 and was not classified as spam. The only way this happens is if you INCREASE the score from 5.0 to a higher number.

Setting your score to 2 will mark a huge amount of perfectly legitimate email as spam, but that is not what you described above.

On Fri, 19 Jun 2020, Daryl Rose wrote:

> I thought that a 5 was an average number and lowering it improves spam
> hits, I may end up getting legitimate emails flagged as spam but I can add
> the address to a whitefrom_list. I read that in more than one location.
>
> I believe that I have the required score set to 2.0 or 2.5, or somewhere
> around that. I'm not able to look at this moment. But you're saying that
> if I change it back to the default score of 5, then I'll catch more spam?

All of the base repo rule scores are assigned with the assumption that
spams should score 5.0 points.

If you change the local spam threshold to less than 5 without also broadly
adjusting the rule scores, more messages will hit - this may potentially
tag more spams (i.e. lower FN rate), but it *will* also tag more hams
(i.e. higher FP rate), which is generally considered worse than some
spams leaking through.

If you change the local spam threshold to more than 5 without also broadly
adjusting the rule scores, fewer messages will hit. This will tag fewer
spams (i.e. higher FN rate) but will tag fewer hams as well (lower FP
rate).

Generally if a given type of spam isn't scoring enough to be tagged as
spam, you want to:

(1) make sure bayes is classifying it as "spammy" (e.g. BAYES_99) - train
bayes using that message if it's not, and if it's being classified as
"hammy" (e.g. BAYES < 30) then review your overall training, your bayes
database is probably mistrained.

(2) try to find some common feature in the spams and develop a local rule
to detect that feature. This can be difficult. If it works, suggest it
here and we may add it to the base rules so that everyone benefits.

Note that there may be rules in the repo that detect that, but if that
feature isn't fairly common in spam that makes it into the masscheck repos
then the rule might not be performing well enough to be promoted for
publication.

Adjusting the spam threshold is generally only something you do if you
really understand what's going on.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Britain used to be the most powerful empire in the world.
Now they're terrified of pocketknives.
How the mighty have fallen. -- Matt Walsh
-----------------------------------------------------------------------
138 days until the Presidential Election