Mailing List Archive

Possible spam sign
I just received a spam with this interesting From address:

From: "VA Rate Guide"
<info@alap.vicyced.com><mailings@earthlink.net><mailings@linkedin.com><Support@apple.com><SA.noreply@samsung-mail.com><mailings@gmail.com><account-update@amazon.com>

I wonder if it is worth checking for mail from more than one sender at once?

Loren
Re: Possible spam sign [ In reply to ]
On Tue, 8 Dec 2020, Loren Wilton wrote:

> I just received a spam with this interesting From address:
>
> From: "VA Rate Guide" <info@alap.vicyced.com><mailings@earthlink.net><mailings@linkedin.com><Support@apple.com><SA.noreply@samsung-mail.com><mailings@gmail.com><account-update@amazon.com>
>
> I wonder if it is worth checking for mail from more than one sender at once?

That probably should have hit at least one scored base rule:

https://ruleqa.spamassassin.org/?rule=%2FFROM_2_



--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad. -- James Madison, 1799
-----------------------------------------------------------------------
7 days until Bill of Rights day
Re: Possible spam sign [ In reply to ]
> That probably should have hit at least one scored base rule:
>
> https://ruleqa.spamassassin.org/?rule=%2FFROM_2_

Nope. I think my rules are up to date, but maybe not.
Re: Possible spam sign [ In reply to ]
On Tue, 8 Dec 2020, Loren Wilton wrote:

>> That probably should have hit at least one scored base rule:
>>
>> https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
>
> Nope. I think my rules are up to date, but maybe not.

Feel free to pastebin it and I'll take a look.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People think they're trading chaos for order [by ceding more and
more power to the Government], but they're just trading normal
human evil for the really dangerous organized kind of evil, the
kind that simply does not give a shit. Only bureaucrats can give
you true evil. -- Larry Correia
-----------------------------------------------------------------------
7 days until Bill of Rights day
Re: Possible spam sign [ In reply to ]
Loren Wilton skrev den 2020-12-08 19:18:
> I just received a spam with this interesting From address:
>
> From: "VA Rate Guide"
> <info@alap.vicyced.com><mailings@earthlink.net><mailings@linkedin.com><Support@apple.com><SA.noreply@samsung-mail.com><mailings@gmail.com><account-update@amazon.com>
>
> I wonder if it is worth checking for mail from more than one sender at
> once?

Received: from [47.140.131.2] (helo=watson1)
by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4)
(envelope-from <lwilton@earthlink.net>)
id 1kmhZF-0002TY-Oh
for users@spamassassin.apache.org; Tue, 08 Dec 2020 13:18:29 -0500

clear text sasl password ?

if from: header have more domains to block, then block it :=)
Re: Possible spam sign [ In reply to ]
>>> That probably should have hit at least one scored base rule:
>>>
>>> https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
>>
>> Nope. I think my rules are up to date, but maybe not.
>
> Feel free to pastebin it and I'll take a look.

https://drive.google.com/file/d/1WQ0Mm1iUsKhTj51mFJwwehuTatSm8Nux/view?usp=sharing
Re: Possible spam sign [ In reply to ]
On 12/8/20 11:18 AM, Loren Wilton wrote:
> I just received a spam with this interesting From address:
>
> From: "VA Rate Guide"
> <info@alap.vicyced.com><mailings@earthlink.net><mailings@linkedin.com><Support@apple.com><SA.noreply@samsung-mail.com><mailings@gmail.com><account-update@amazon.com>

Ew.

> I wonder if it is worth checking for mail from more than one sender at
> once?

The BOFH in me would be tempted to add one point for each extra @.

I think that the strict RFC specification does allow for multiple
senders, but I don't remember how it's done and it's so rare that I'd
accept the false positive.



--
Grant. . . .
unix || die
Re: Possible spam sign [ In reply to ]
On 8 Dec 2020, at 12:47, Grant Taylor wrote:

> I think that the strict RFC specification does allow for multiple
> senders, but I don't remember how it's done and it's so rare that I'd
> accept the false positive.

Yes to both.

-lem
Re: Possible spam sign [ In reply to ]
On Tue, 8 Dec 2020, Loren Wilton wrote:

>>>> That probably should have hit at least one scored base rule:
>>>>
>>>> https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
>>>
>>> Nope. I think my rules are up to date, but maybe not.
>>
>> Feel free to pastebin it and I'll take a look.
>
> https://drive.google.com/file/d/1WQ0Mm1iUsKhTj51mFJwwehuTatSm8Nux/view?usp=sharing

That was scanned by SA? Are the SA scan results buried in the
X-VadeSecure-Cause header somehow?

It's too long to hit FROM_2_EMAILS_SHORT, and the longer message rules
that it hits (__HTML_LENGTH_1024_1536 and __PDS_HTML_LENGTH_2048) are
ham-only combos in the masscheck corpus.

I've added some new rules for masscheck eval based on it.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Journalism is about covering important stories.
With a pillow, until they stop moving. -- David Burge
-----------------------------------------------------------------------
7 days until Bill of Rights day
Re: Possible spam sign [ In reply to ]
On Tue, 8 Dec 2020 10:18:28 -0800
Loren Wilton wrote:

> I just received a spam with this interesting From address:
>
> From: "VA Rate Guide"
> <info@alap.vicyced.com><mailings@earthlink.net><mailings@linkedin.com><Support@apple.com><SA.noreply@samsung-mail.com><mailings@gmail.com><account-update@amazon.com>
>
> I wonder if it is worth checking for mail from more than one sender
> at once?

Multiple senders in "From" headers is rare, but RFC compliant.

What you have there isn't syntactically correct; the address aren't
properly separated by commas.