Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?
s at dondley
Mar 28, 2021, 9:01 AM
Post #1 of 5 (876 views)
Permalink
The email below slipped through my spam filter.

It has malicious content attached which purports to be a voicemail from
comcast (I've snipped the attachment from the example) but it is
actually a phishing attack. The attachment contains a link that goes to
a web page at an obscure domain that prompts you to log into your
comcast account.

As you can see by the headers, this email was well-trusted by SA with a
score of -2.7.

I don't think I can rely much on bayes filtering for these kinds of
emails since the body has so little text (or do I make a bad assumption
here?). And to my untrained eye, the only thing that looks suspicious is
line 40 which says: "smtprelay.hostedemail.com".

So what's the giveaway that this is spam and what rule can I add to get
SA to recognize it as such? And what is the best way for me to learn how
to analyze the headers so I can recognize spam myself? Any good
tutorials for this?



1 Return-Path: <x-flnltycomcastvoicemail_ref.no01hds@comcast.net>
2 Delivered-To: catchall@example.org
3 Received: from email.example.org
4 by email.example.org with LMTP
5 id EkqVDIVdYGCceQAAW5pcLQ
6 (envelope-from
<x-flnltycomcastvoicemail_ref.no01hds@comcast.net>)
7 for <catchall@example.org>; Sun, 28 Mar 2021 06:42:13 -0400
8 Received: by email.example.org (Postfix, from userid 115)
9 id 2489422533; Sun, 28 Mar 2021 06:42:13 -0400 (EDT)
10 Authentication-Results: email.example.org;
11 dkim=pass (2048-bit key; secure) header.d=comcast.net
header.i=@comcast.net header.b="PSvQlJTc";
12 dkim-atps=neutral
13 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
email.example.org
14 X-Spam-Level:
15 X-Spam-Status: No, score=-2.7 required=4.0
tests=BAYES_50,DKIM_SIGNED,
16
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,INVALID_MSGID,
17 MSGID_FROM_MTA_HEADER,OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_HI,
18 RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
autolearn=unavailable
19 autolearn_force=no version=3.4.2
20 Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=96.114.154.164; helo=resqmta-po-05v.sys.comcast.net;
envelope-from=x-flnltycomcastvoicemail_ref.no01hds@comcast.net;
receiver=<UNKNOWN>
21 Received: from resqmta-po-05v.sys.comcast.net
(resqmta-po-05v.sys.comcast.net [96.114.154.164])
22 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
(256/256 bits))
23 (No client certificate requested)
24 by email.example.org (Postfix) with ESMTPS id F22E6215BD
25 for <office@example.org>; Sun, 28 Mar 2021 06:42:11 -0400
(EDT)
26 Received: from resimta-po-42v.sys.comcast.net ([96.114.154.212])
27 by resqmta-po-05v.sys.comcast.net with ESMTP
28 id QSrxlUJdvoWleQSrxlMdfB; Sun, 28 Mar 2021 10:42:09 +0000
29 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
30 s=20190202a; t=1616928129;
31 bh=vkwV5ud3feChWZLQsYrnwAqC5q/gOtq5c2+sZwvKGUI=;
32
h=Received:Received:Message-ID:Received:Received:From:Subject:To:
33 Content-Type:MIME-Version:Date;
34
b=PSvQlJTcBWsdJnqw5X2ghcFhFC/KDs9orh5uzVOpepDAf2rxUTc3bG03diY25hkLB
35
fKraMiHrMsG0UjujPtZPBZ10Wvs+b/pCliySBbDhG4hPak0kJwkoe8INCCabIiNkCc
36
8LcCU2x8x5mK0WrbPxGQatIXplKMnAjK7Tr/v27aGvxFxfBjkeDL7DrG6AHNvjtv+P
37
N8/WmgYIX2MldH9NM5DFb1OIsENAGdRT2SQnBW+t67wJ9JvIl6D8ZpAXLK0Ra8rrZw
38
GbL3gsz49PAoDxAJTuMpWnvmef6J7o/xwV98mMj9s0Dyk3Y+IF2xtoz6CVzDjK/nHy
39 7YHOQjMWIrXJQ==
40 Received: from smtprelay.hostedemail.com ([216.40.44.63])
41 by resimta-po-42v.sys.comcast.net with ESMTP
42 id QSrwlZX7FX3qEQSrwlyoxt; Sun, 28 Mar 2021 10:42:08 +0000
43 X-Xfinity-VAAS:
gggruggvucftvghtrhhoucdtuddrgeduledrudehiedgfeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhinecuuegrihhlohhuthemuceftddunecuogfntfdquehouhhnugdqtfefvdculdehmdenucfjughrpefhuffvtgggffesmhdttdertddttdenucfhrhhomhepfdgiqdfhlhfplhfvjggtohhmtggrshhtvhhoihgtvghmrghilhgprhgvfhdrnhhotddujfffufestghomhgtrghsthdrnhgvthdfuceoigdqhfhlpfhlvfgjtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudfjfffusegtohhmtggrshhtrdhnvgh

tqeenucggtffrrghtthgvrhhnpeduvddtkeduleehvdejkeeludfhhffghefhgeegjeefgeejveeiuedtgfeitdelieenucfkphepvdduiedrgedtrdeggedrieefpdeivddrudekvddrleelrdelgeenucevlhhushhtvghrufhiiigvpeefnecurfgrrhgrmhephhgvlhhopehsmhhtphhrvghlrgihrdhhohhsthgvuggvmhgrihhlrdgtohhmpdhinhgvthepvdduiedrgedtrdeggedrieefpdhmrghilhhfrhhomhepgidqfhhlnhhlthihtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudhhughssegtohhmtggrshhtrdhnvghtpdhrtghpthhtohepihgsvgifgeehheestghomhgtrg
hsthdrnhgvthdprhgtphhtthhopehofhhfihgtvgesihgsvgifgeehhedrohhrgh
44 X-Xfinity-VMeta: sc=5.00;st=legit
45 X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=4;DMARC=F
46 Message-ID:
QSrwlZX7FX3qEQSrwlyoxt.1616928128.bcb9cc98f861a2c7a8b119d18ed7fa74.MISSINGID@comcast.net
47 Received: from omf14.hostedemail.com (clb03-v110.bra.tucows.net
[216.40.38.60])
48 by smtprelay03.hostedemail.com (Postfix) with ESMTP id
03D8F837F24D
49 for <example@comcast.net>; Sun, 28 Mar 2021 10:42:08 +0000
(UTC)
50 Received: from DESKTOP-TNPBEGP (unknown [62.182.99.94])
51 (Authenticated sender: upshall@xplornet.com)
52 by omf14.hostedemail.com (Postfix) with ESMTPA id
332FB268E40
53 for <example@comcast.net>; Sun, 28 Mar 2021 10:42:06 +0000
(UTC)
54 From: "X-FlNlTYcomcastvoicemail_ref.no01HDS@comcast.net"
55 <X-FlNlTYcomcastvoicemail_ref.no01HDS@comcast.net>
56 Subject: Re:
57 To: example@comcast.net
58 Content-Type: multipart/mixed;
boundary="3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0"
59 MIME-Version: 1.0
60 Date: Sun, 28 Mar 2021 11:42:06 +0100
61 X-Antivirus: avast! (VPS 200331-6, 03/31/2020), Outbound message
62 X-Antivirus-Status: Clean
63 X-Rspamd-Server: rspamout03
64 X-Rspamd-Queue-Id: 332FB268E40
65 X-Stat-Signature: srieurr5dxcfhswsun6zh94m7jszub5d
66 X-HE-Tag: 1616928126-260672
67
68 This is a multi-part message in MIME format
69
70 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
71 Content-Type: multipart/alternative;
72 boundary="3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1"
73
74 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1
75 Content-Type: text/plain
76 Content-Transfer-Encoding: quoted-printable
77
78 - This mail is in HTML. Some elements may be ommited in plain text.
-
79
80 You have voicemail. Transcript attached. "View" it
81
82 ---March 28---
83
84 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1
85 Content-Type: text/html
86 Content-Transfer-Encoding: quoted-printable
87
88 <HTML><HEAD></HEAD>
89 <BODY>
90 <P>You have voicemail.&nbsp;Transcript attached. "View" it </P>
91 <P>&nbsp;</P>
92 <P>---March 28---</P></BODY></HTML>
93
94 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1--
95
96 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
97 Content-Type: application/octet-stream;
98 name="Xf.txt"
99 Content-Transfer-Encoding: base64
100 Content-Disposition: attachment;
101 filename="Xf.txt"
102
103
RGVhciB1c2VyLA0KDQpZb3VyIHZvaWNlbWFpbCBpcyBpbnNpZGUgdGhlIG90aGVyIGF0dGFjaG1l
104 bnQuDQoNClRoYW5rIHlvdSwNClhmaW5pdHkgTWFuYWdlbWVudA==
105
106 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
107 Content-Type: application/octet-stream;
108 name="Mar-28 Voicemail.eml"
109 Content-Transfer-Encoding: base64
110 Content-Disposition: attachment;
111 filename="Mar-28 Voicemail.eml"
112
113 <SNIP>
Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly? [ In reply to ]
uhlar at fantomas
Mar 28, 2021, 10:18 AM
Post #2 of 5 (875 views)
Permalink
On 28.03.21 12:01, Steve Dondley wrote:
>The email below slipped through my spam filter.
>
>It has malicious content attached which purports to be a voicemail
>from comcast (I've snipped the attachment from the example) but it is
>actually a phishing attack. The attachment contains a link that goes
>to a web page at an obscure domain that prompts you to log into your
>comcast account.
>
>As you can see by the headers, this email was well-trusted by SA with
>a score of -2.7.
>
>I don't think I can rely much on bayes filtering for these kinds of
>emails since the body has so little text (or do I make a bad
>assumption here?). And to my untrained eye, the only thing that looks
>suspicious is line 40 which says: "smtprelay.hostedemail.com".
>
>So what's the giveaway that this is spam and what rule can I add to
>get SA to recognize it as such? And what is the best way for me to
>learn how to analyze the headers so I can recognize spam myself? Any
>good tutorials for this?

- BAYES_50 means BAYES filter didn't decide. You can train it by deefing it
into "spamassassin -r"

- RCVD_IN_DNSWL_HI and RCVD_IN_MSPIKE_H2 are both whitelists.
That means that senging IP is in two separate whitelists.

probably you could forward it into abuse@comcast.net for them to handle
that. otherwise you can manually change scores for them (looks like score
RCVD_IN_MSPIKE_H2 was already decreased from what I remember)

- INVALID_MSGID, MSGID_FROM_MTA_HEADER and OBFU_TEXT_ATTACH are spam signs.
this shows that the mail was really messed up

> 1 Return-Path: <x-flnltycomcastvoicemail_ref.no01hds@comcast.net>
> 2 Delivered-To: catchall@example.org
> 3 Received: from email.example.org
> 4 by email.example.org with LMTP
> 5 id EkqVDIVdYGCceQAAW5pcLQ
> 6 (envelope-from
><x-flnltycomcastvoicemail_ref.no01hds@comcast.net>)
> 7 for <catchall@example.org>; Sun, 28 Mar 2021 06:42:13 -0400
> 8 Received: by email.example.org (Postfix, from userid 115)
> 9 id 2489422533; Sun, 28 Mar 2021 06:42:13 -0400 (EDT)
> 10 Authentication-Results: email.example.org;
> 11 dkim=pass (2048-bit key; secure) header.d=comcast.net
>header.i=@comcast.net header.b="PSvQlJTc";
> 12 dkim-atps=neutral
> 13 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
>email.example.org
> 14 X-Spam-Level:
> 15 X-Spam-Status: No, score=-2.7 required=4.0
>tests=BAYES_50,DKIM_SIGNED,
> 16
>DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,INVALID_MSGID,
> 17 MSGID_FROM_MTA_HEADER,OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_HI,
> 18 RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
>autolearn=unavailable
> 19 autolearn_force=no version=3.4.2
> 20 Received-SPF: Pass (mailfrom) identity=mailfrom;
>client-ip=96.114.154.164; helo=resqmta-po-05v.sys.comcast.net;
>envelope-from=x-flnltycomcastvoicemail_ref.no01hds@comcast.net;
>receiver=<UNKNOWN>
> 21 Received: from resqmta-po-05v.sys.comcast.net
>(resqmta-po-05v.sys.comcast.net [96.114.154.164])
> 22 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
>(256/256 bits))
> 23 (No client certificate requested)
> 24 by email.example.org (Postfix) with ESMTPS id F22E6215BD
> 25 for <office@example.org>; Sun, 28 Mar 2021 06:42:11 -0400
>(EDT)
> 26 Received: from resimta-po-42v.sys.comcast.net ([96.114.154.212])
> 27 by resqmta-po-05v.sys.comcast.net with ESMTP
> 28 id QSrxlUJdvoWleQSrxlMdfB; Sun, 28 Mar 2021 10:42:09 +0000
> 29 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
> 30 s=20190202a; t=1616928129;
> 31 bh=vkwV5ud3feChWZLQsYrnwAqC5q/gOtq5c2+sZwvKGUI=;
> 32
>h=Received:Received:Message-ID:Received:Received:From:Subject:To:
> 33 Content-Type:MIME-Version:Date;
> 34
>b=PSvQlJTcBWsdJnqw5X2ghcFhFC/KDs9orh5uzVOpepDAf2rxUTc3bG03diY25hkLB
> 35
>fKraMiHrMsG0UjujPtZPBZ10Wvs+b/pCliySBbDhG4hPak0kJwkoe8INCCabIiNkCc
> 36
>8LcCU2x8x5mK0WrbPxGQatIXplKMnAjK7Tr/v27aGvxFxfBjkeDL7DrG6AHNvjtv+P
> 37
>N8/WmgYIX2MldH9NM5DFb1OIsENAGdRT2SQnBW+t67wJ9JvIl6D8ZpAXLK0Ra8rrZw
> 38
>GbL3gsz49PAoDxAJTuMpWnvmef6J7o/xwV98mMj9s0Dyk3Y+IF2xtoz6CVzDjK/nHy
> 39 7YHOQjMWIrXJQ==
> 40 Received: from smtprelay.hostedemail.com ([216.40.44.63])
> 41 by resimta-po-42v.sys.comcast.net with ESMTP
> 42 id QSrwlZX7FX3qEQSrwlyoxt; Sun, 28 Mar 2021 10:42:08 +0000
> 43 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgeduledrudehiedgfeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhinecuuegrihhlohhuthemuceftddunecuogfntfdquehouhhnugdqtfefvdculdehmdenucfjughrpefhuffvtgggffesmhdttdertddttdenucfhrhhomhepfdgiqdfhlhfplhfvjggtohhmtggrshhtvhhoihgtvghmrghilhgprhgvfhdrnhhotddujfffufestghomhgtrghsthdrnhgvthdfuceoigdqhfhlpfhlvfgjtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudfjfffusegtohhmtggrshhtrdhnvgh tqeenucggtffrrghtthgvrhhnpeduvddtkeduleehvdejkeeludfhhffghefhgeegjeefgeejveeiuedtgfeitdelieenucfkphepvdduiedrgedtrdeggedrieefpdeivddrudekvddrleelrdelgeenucevlhhushhtvghrufhiiigvpeefnecurfgrrhgrmhephhgvlhhopehsmhhtphhrvghlrgihrdhhohhsthgvuggvmhgrihhlrdgtohhmpdhinhgvthepvdduiedrgedtrdeggedrieefpdhmrghilhhfrhhomhepgidqfhhlnhhlthihtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudhhughssegtohhmtggrshhtrdhnvghtpdhrtghpthhtohepihgsvgifgeehheestghomhgtrg
>hsthdrnhgvthdprhgtphhtthhopehofhhfihgtvgesihgsvgifgeehhedrohhrgh
> 44 X-Xfinity-VMeta: sc=5.00;st=legit
> 45 X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=4;DMARC=F
> 46 Message-ID: QSrwlZX7FX3qEQSrwlyoxt.1616928128.bcb9cc98f861a2c7a8b119d18ed7fa74.MISSINGID@comcast.net
> 47 Received: from omf14.hostedemail.com (clb03-v110.bra.tucows.net
>[216.40.38.60])
> 48 by smtprelay03.hostedemail.com (Postfix) with ESMTP id
>03D8F837F24D
> 49 for <example@comcast.net>; Sun, 28 Mar 2021 10:42:08 +0000
>(UTC)
> 50 Received: from DESKTOP-TNPBEGP (unknown [62.182.99.94])
> 51 (Authenticated sender: upshall@xplornet.com)
> 52 by omf14.hostedemail.com (Postfix) with ESMTPA id
>332FB268E40
> 53 for <example@comcast.net>; Sun, 28 Mar 2021 10:42:06 +0000
>(UTC)
> 54 From: "X-FlNlTYcomcastvoicemail_ref.no01HDS@comcast.net"
> 55 <X-FlNlTYcomcastvoicemail_ref.no01HDS@comcast.net>
> 56 Subject: Re:
> 57 To: example@comcast.net
> 58 Content-Type: multipart/mixed;
>boundary="3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0"
> 59 MIME-Version: 1.0
> 60 Date: Sun, 28 Mar 2021 11:42:06 +0100
> 61 X-Antivirus: avast! (VPS 200331-6, 03/31/2020), Outbound message
> 62 X-Antivirus-Status: Clean
> 63 X-Rspamd-Server: rspamout03
> 64 X-Rspamd-Queue-Id: 332FB268E40
> 65 X-Stat-Signature: srieurr5dxcfhswsun6zh94m7jszub5d
> 66 X-HE-Tag: 1616928126-260672
> 67
> 68 This is a multi-part message in MIME format
> 69
> 70 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
> 71 Content-Type: multipart/alternative;
> 72 boundary="3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1"
> 73
> 74 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1
> 75 Content-Type: text/plain
> 76 Content-Transfer-Encoding: quoted-printable
> 77
> 78 - This mail is in HTML. Some elements may be ommited in plain
>text. -
> 79
> 80 You have voicemail. Transcript attached. "View" it
> 81
> 82 ---March 28---
> 83
> 84 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1
> 85 Content-Type: text/html
> 86 Content-Transfer-Encoding: quoted-printable
> 87
> 88 <HTML><HEAD></HEAD>
> 89 <BODY>
> 90 <P>You have voicemail.&nbsp;Transcript attached. "View" it </P>
> 91 <P>&nbsp;</P>
> 92 <P>---March 28---</P></BODY></HTML>
> 93
> 94 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1--
> 95
> 96 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
> 97 Content-Type: application/octet-stream;
> 98 name="Xf.txt"
> 99 Content-Transfer-Encoding: base64
>100 Content-Disposition: attachment;
>101 filename="Xf.txt"
>102
>103 RGVhciB1c2VyLA0KDQpZb3VyIHZvaWNlbWFpbCBpcyBpbnNpZGUgdGhlIG90aGVyIGF0dGFjaG1l
>104 bnQuDQoNClRoYW5rIHlvdSwNClhmaW5pdHkgTWFuYWdlbWVudA==
>105
>106 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
>107 Content-Type: application/octet-stream;
>108 name="Mar-28 Voicemail.eml"
>109 Content-Transfer-Encoding: base64
>110 Content-Disposition: attachment;
>111 filename="Mar-28 Voicemail.eml"
>112
>113 <SNIP>

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly? [ In reply to ]
gdt at lexort
Mar 28, 2021, 10:26 AM
Post #3 of 5 (875 views)
Permalink
(You got other good advice; I'll try to avoid being redundant.)

This looks like it really came from comcast's servers, but it's hard to
read headers that have been miswrapped.

I tend to tweak up scores of rules that fire on spam that slips through,
and tweak down scores of rules that misfire on ham.

I would recommend running spamassassin -t on this to see what points are
from what rules; the passing score doesn't show this but if you use -t
you'll see it all at the end.

RCVD_IN_DNSWL_HI really seems strange. Perhaps comcast has separate IP
blocks for mail from them, and mail from customers (verizon for example,
back when they did customer mail, had verizon.com and verizon.net, which
I suspect had separate MTAs). I really don't understand DNSWL listing
criteria for HI, but to me that should indicated that there is a
vanishly small chance of spam, and that more or less means only
company-originated mail, and definitely not mail sent by random
customers some of whom might have compromised accounts.

So I would look to moderate the negative score from DNSWL_HIGH, as you
have a counterexample to the ham-only theory.

Attached Files:

Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly? [ In reply to ]
matthias at leisi
Mar 28, 2021, 10:57 AM
Post #4 of 5 (875 views)
Permalink
>
> 15 X-Spam-Status: No, score=-2.7 required=4.0 tests=BAYES_50,DKIM_SIGNED,
> 16 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,INVALID_MSGID,
> 17 MSGID_FROM_MTA_HEADER,OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_HI,
> 18 RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
> 19 autolearn_force=no version=3.4.2

It’s not immediately obvious which IP should hit RCVD_IN_DNSWL_HI. None of the IPs mentioned are on that level at dnswl.org <http://dnswl.org/> (and I assume also not in the mailspike data).

— Matthias
Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly? [ In reply to ]
jhardin at impsec
Mar 28, 2021, 2:01 PM
Post #5 of 5 (875 views)
Permalink
On Sun, 28 Mar 2021, Steve Dondley wrote:

> So what's the giveaway that this is spam and what rule can I add to get SA to
> recognize it as such? And what is the best way for me to learn how to analyze
> the headers so I can recognize spam myself? Any good tutorials for this?

The obfuscated "xfinity" in the From header is what caught my eye:

> 54 From: "X-FlNlTYcomcastvoicemail_ref.no01HDS@comcast.net"
> 55 <X-FlNlTYcomcastvoicemail_ref.no01HDS@comcast.net>

If you keep seeing such, then a FUZZY_XFINITY_FM rule might be worthwhile.

Unfortunately it was sent via Comcast MTAs so SPF/DKIM aren't helpful
here to detect spoofing.

A From header address rule for "comcastvoicemail" might be useful as well,
depending on whether or not you get legitimate voicemail announcements
from Comcast and what they look like.

> 78 - This mail is in HTML. Some elements may be ommited in plain text. -

Spelling and grammar errors potentially give Bayes something to work with.
Feed the message to Bayes as spam.

> 107 Content-Type: application/octet-stream;
> 108 name="Mar-28 Voicemail.eml"

That filename looks suspicious. .eml is an attachment generally used for
mailbox-format email message attachments. Why would a voicemail be
delivered in that format?


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...if the government does not trust me to own firearms,
why or how can the people be expected to trust the government?
-- Theodore Haas, Dachau survivor
-----------------------------------------------------------------------
4 days until April Fools' day

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal