Mailing List Archive

More fake order spam
Got this: https://pastebin.com/Gfz951dh

Spam report:

Content analysis details: (-2.3 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
[185.41.28.7 listed in
hostkarma.junkemailfilter.com]
-1.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
-0.0 SPF_PASS SPF: sender matches SPF record
0.1 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from
author\'s domain
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
2.0 LOCAL_SPAM_TLD Domain originates a lot of spam


Looks like it's coming from some kind of bulk mail service which is
whitelisted. Even after training with bayes, it will still be a false
negative.

Any ideas on the best way to tackle these kinds of fake order spam?
Re: More fake order spam [ In reply to ]
As always, if you have a problem stemming from a dns-based or similar
reputation list, you need to report problems to those lists.

If you aren't running greylisting with aggressive delays for SBL/XBL and
moderate for dialup, do that too.
Re: More fake order spam [ In reply to ]
On 2021-04-27 18:51, Steve Dondley wrote:
> Got this: https://pastebin.com/Gfz951dh
>
> Spam report:
>
> Content analysis details: (-2.3 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> -2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
> [185.41.28.7 listed in
> hostkarma.junkemailfilter.com]
> -1.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> [score: 0.0000]
> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
> mail domains are different
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.1 HTML_MESSAGE BODY: HTML included in message
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> valid
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> from
> author\'s domain
> -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen
> list
> manager
> 2.0 LOCAL_SPAM_TLD Domain originates a lot of spam
>
>
> Looks like it's coming from some kind of bulk mail service which is
> whitelisted. Even after training with bayes, it will still be a false
> negative.
>
> Any ideas on the best way to tackle these kinds of fake order spam?

add 3 to local_spam_tld, so bayes does not learn it as ham

autolearnthreshold is -0.1, alternative set this lower to force lesss
ham larning in bayes

impressed that spamassassin still have it as ham
http://multirbl.valli.org/lookup/185.41.28.7.html

https://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_AutoLearnThreshold.html

all the best
Re: More fake order spam [ In reply to ]
> -2.5 RCVD_IN_HOSTKARMA_W    RBL: Sender listed in HOSTKARMA-WHITE
>                          [185.41.28.7 listed in
> hostkarma.junkemailfilter.com]

We've reduced this score to -1 locally.

> -1.0 BAYES_00               BODY: Bayes spam probability is 0 to 1%

Needs to be trained, obviously. Bayes is best for this body content.

> Looks like it's coming from some kind of bulk mail service which is
> whitelisted. Even after training with bayes, it will still be a false
> negative.
>
> Any ideas on the best way to tackle these kinds of fake order spam?

Investigate adding the SEM_FRESH rules - this domain was created less
than five days ago.
https://spameatingmonkey.com/services

Invalid List-ID. You can then use that with other weirdness in a meta.
header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/
meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
!__LIST_ID_DOMAIN_IN_BRACKETS
score LIST_ID_IMPROPER_FORMAT 0.001
describe LIST_ID_IMPROPER_FORMAT List-id has improper format

Investigate configuring dcc. We also created a meta that matches DCC and
URIBLs.

I believe the new Esp module that works to identify bad sendgrid
accounts also has support for sendinblue accounts, but to what extent?
X-Mailer: Sendinblue

I believe later versions of SA also have more geolocation support - do
you have a need to receive mail from France?
$ whois 185.41.28.7
...
route: 185.41.28.0/22
descr: SENDINBLUE-185-41-28-0-22
origin: AS200484

Regards,
Dave
Re: More fake order spam [ In reply to ]
On 2021-04-27 01:12 PM, Greg Troxel wrote:
> As always, if you have a problem stemming from a dns-based or similar
> reputation list, you need to report problems to those lists.
>
> If you aren't running greylisting with aggressive delays for SBL/XBL
> and
> moderate for dialup, do that too.

What does "aggressive delays for SBL/XBL and moderate for dialup" mean,
exactly? Do you mean greylist long enough to give the blocklists time to
label the spam as spam?

And what does "moderate for dialup" mean?
Re: More fake order spam [ In reply to ]
Steve Dondley <s@dondley.com> writes:

> On 2021-04-27 01:12 PM, Greg Troxel wrote:
>> As always, if you have a problem stemming from a dns-based or similar
>> reputation list, you need to report problems to those lists.
>>
>> If you aren't running greylisting with aggressive delays for SBL/XBL
>> and
>> moderate for dialup, do that too.
>
> What does "aggressive delays for SBL/XBL and moderate for dialup"
> mean, exactly? Do you mean greylist long enough to give the blocklists
> time to label the spam as spam?

Yes, and for the admin to notice and fix.

> And what does "moderate for dialup" mean?

12 to 24h for SBL/XBL.

2-3h for the dynamic lists. Legit people will get through eventually,
and they are fairly few in number.

All a matter of opinion/tradeoffs
Re: More fake order spam [ In reply to ]
On 2021-04-27 01:19 PM, Dave Wreski wrote:
>> -2.5 RCVD_IN_HOSTKARMA_W    RBL: Sender listed in HOSTKARMA-WHITE
>>                          [185.41.28.7 listed in
>> hostkarma.junkemailfilter.com]
>
> We've reduced this score to -1 locally.
>
>> -1.0 BAYES_00               BODY: Bayes spam probability is 0 to 1%
>
> Needs to be trained, obviously. Bayes is best for this body content.
>
>> Looks like it's coming from some kind of bulk mail service which is
>> whitelisted. Even after training with bayes, it will still be a false
>> negative.
>>
>> Any ideas on the best way to tackle these kinds of fake order spam?
>
> Investigate adding the SEM_FRESH rules - this domain was created less
> than five days ago.
> https://spameatingmonkey.com/services

OK, how do I get those rules installed? I've only installed KAM rules
using a channel. I don't see anything similar for SEM rules. I see the
page you linked to says to drop this into the config:

# SEM-FRESH
urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
describe SEM_FRESH Contains a domain registered less than 5 days ago
tflags SEM_FRESH net
score SEM_FRESH 0.5

I've never seen anything like this before. Looks like this is the
documentation for that:
https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html

Should I be adding other services besides this one for urihssub lookups?

>
> Invalid List-ID. You can then use that with other weirdness in a meta.
> header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~
> /<([\w-]+)(\.[\w-]+)+>/
> meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
> !__LIST_ID_DOMAIN_IN_BRACKETS
> score LIST_ID_IMPROPER_FORMAT 0.001
> describe LIST_ID_IMPROPER_FORMAT List-id has improper format

You lost me here. The spam has this:

List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>

That's not legit? It's in brackets.

>
> Investigate configuring dcc. We also created a meta that matches DCC
> and URIBLs.

Yes, on my todo list.

>
> I believe the new Esp module that works to identify bad sendgrid
> accounts also has support for sendinblue accounts, but to what extent?
> X-Mailer: Sendinblue

To start, I wrote this rule that I think will probably work well because
it doesn't make sense for any order information is going to come from a
mailing list.

# fake order spam
header __LOCAL_FAKE_ORDER_SUBJ Subject =~ /your.order/i
header __LOCAL_FAKE_ORDER_1 X-Mailer =~ /Sendinblue/i
header __LOCAL_FAKE_ORDER_2 List-Id =~ /./

meta LOCAL_FAKE_ORDER _LOCAL_FAKE_ORDER_SUBJ + (__LOCAL_FAKE_ORDER_2 +
__LOCAL_FAKE_ORDER_3 >= 1)
score LOCAL_FAKE_ORDER 3.0



>
> I believe later versions of SA also have more geolocation support - do
> you have a need to receive mail from France?
> $ whois 185.41.28.7
> ...
> route: 185.41.28.0/22
> descr: SENDINBLUE-185-41-28-0-22
> origin: AS200484
>
> Regards,
> Dave
Re: More fake order spam [ In reply to ]
On 2021-04-27 02:23 PM, Reindl Harald wrote:
> Am 27.04.21 um 19:57 schrieb Steve Dondley:
>> On 2021-04-27 01:19 PM, Dave Wreski wrote:
>>> Investigate adding the SEM_FRESH rules - this domain was created less
>>> than five days ago.
>>> https://spameatingmonkey.com/services
>>
>> OK, how do I get those rules installed?
>
> why don't you just click on the link? there is a sample for copy&paste
> monkeys and how local .cf files are working is supposed to know by
> someone running a public mailserver

I did. That's why I wrote: "I don't see anything similar for SEM rules.
I see the page you linked to says to drop this into the config:"
Re: More fake order spam [ In reply to ]
Hi,

>> Investigate adding the SEM_FRESH rules - this domain was created less
>> than five days ago.
>> https://spameatingmonkey.com/services
>
> OK, how do I get those rules installed? I've only installed KAM rules
> using a channel. I don't see anything similar for SEM rules. I see the
> page you linked to says to drop this into the config:
>
> # SEM-FRESH
> urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
> body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
> describe SEM_FRESH Contains a domain registered less than 5 days ago
> tflags SEM_FRESH net
> score SEM_FRESH 0.5

Just copy them to a file ending in ".cf" in your local spamassassin
rules directory like you did with the rule you created below.

> I've never seen anything like this before. Looks like this is the
> documentation for that:
> https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html

That's instructions for enabling the URIDNSBL, which is probably already
enabled.

Check for something like this in your init.pre file
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

>> Invalid List-ID. You can then use that with other weirdness in a meta.
>> header    __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/
>> meta   LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
>> !__LIST_ID_DOMAIN_IN_BRACKETS
>> score  LIST_ID_IMPROPER_FORMAT 0.001
>> describe LIST_ID_IMPROPER_FORMAT List-id has improper format
>
> You lost me here. The spam has this:
>
> List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>
>
> That's not legit? It's in brackets.

It's matching on the text before the brackets.

>> I believe the new Esp module that works to identify bad sendgrid
>> accounts also has support for sendinblue accounts, but to what extent?
>> X-Mailer: Sendinblue
>
> To start, I wrote this rule that I think will probably work well because
> it doesn't make sense for any order information is going to come from a
> mailing list.
>
> # fake order spam
> header    __LOCAL_FAKE_ORDER_SUBJ   Subject =~ /your.order/i
> header    __LOCAL_FAKE_ORDER_1   X-Mailer =~ /Sendinblue/i
> header    __LOCAL_FAKE_ORDER_2   List-Id =~ /./
>
> meta  LOCAL_FAKE_ORDER  _LOCAL_FAKE_ORDER_SUBJ + (__LOCAL_FAKE_ORDER_2 +
> __LOCAL_FAKE_ORDER_3 >= 1)
> score LOCAL_FAKE_ORDER 3.0

That's great, but probably doesn't have much longevity.

You can also use the following for the presence of a header:
header __LOCAL_FAKE_ORDER_2 exists:List-Id

Regards,
Dave
Re: More fake order spam [ In reply to ]
>>> Invalid List-ID. You can then use that with other weirdness in a meta.
>>> header    __LIST_ID_DOMAIN_IN_BRACKETS List-id =~
>>> /<([\w-]+)(\.[\w-]+)+>/
>>> meta   LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
>>> !__LIST_ID_DOMAIN_IN_BRACKETS
>>> score  LIST_ID_IMPROPER_FORMAT 0.001
>>> describe LIST_ID_IMPROPER_FORMAT List-id has improper format
>>
>> You lost me here. The spam has this:
>>
>> List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>
>>
>> That's not legit? It's in brackets.
>
> It's matching on the text before the brackets.

I meant to say that it's not matching the __LIST_ID_DOMAIN_IN_BRACKETS
because of the text before the brackets, so the rule matches/triggered.

Regards,
Dave
Re: More fake order spam [ In reply to ]
On 2021-04-27 03:03 PM, Dave Wreski wrote:
>>>> Invalid List-ID. You can then use that with other weirdness in a
>>>> meta.
>>>> header    __LIST_ID_DOMAIN_IN_BRACKETS List-id =~
>>>> /<([\w-]+)(\.[\w-]+)+>/
>>>> meta   LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
>>>> !__LIST_ID_DOMAIN_IN_BRACKETS
>>>> score  LIST_ID_IMPROPER_FORMAT 0.001
>>>> describe LIST_ID_IMPROPER_FORMAT List-id has improper format
>>>
>>> You lost me here. The spam has this:
>>>
>>> List-Id: MzY3NDAxMi01Nzg2LTU=
>>> <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>
>>>
>>> That's not legit? It's in brackets.
>>
>> It's matching on the text before the brackets.
>
> I meant to say that it's not matching the __LIST_ID_DOMAIN_IN_BRACKETS
> because of the text before the brackets, so the rule
> matches/triggered.

OK, gotcha. But now I gotta ask: I see the host tacked onto the random
bit of text in the brackets, but why is it significant that the part
outside the brackets doesn't exactly match the part inside? How does
that let us know the email is bogus?
Re: More fake order spam [ In reply to ]
On 27 Apr 2021, at 11:57, Steve Dondley <s@dondley.com> wrote:
> On 2021-04-27 01:19 PM, Dave Wreski wrote:
>> Invalid List-ID. You can then use that with other weirdness in a meta.
>> header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/
>> meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__LIST_ID_DOMAIN_IN_BRACKETS
>> score LIST_ID_IMPROPER_FORMAT 0.001
>> describe LIST_ID_IMPROPER_FORMAT List-id has improper format
>
> You lost me here. The spam has this:
>
> List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>
>
> That's not legit? It's in brackets.

That was my question as well, AFAIK that conforms to the requirements of a List-ID header.

Looks legit to me.

This is the spec.

> list-id-header = "List-ID:" [phrase] "<" list-id ">" CRLF


And

> list-id = list-label "." list-id-namespace
> list-label = dot-atom-text
> list-id-namespace = domain-name / unmanaged-list-id-namespace

And here are the RFC 2919 examples for valid List-ID headers:

> List-Id: List Header Mailing List <list-header.nisto.com>
> List-Id: <commonspace-users.list-id.within.com>
> List-Id: "Lena's Personal Joke List"
> <lenas-jokes.da39efc25c530ad145d41b86f7420c3b.021999.localhost>
> List-Id: "An internal CMU List" <0Jks9449.list-id.cmu.edu>
> List-Id: <da39efc25c530ad145d41b86f7420c3b.052000.localhost>

And dot-atom-text includes every character in the above:

> atext = ALPHA / DIGIT / ; Any character except controls,
> "!" / "#" / ; SP, and specials.
> "$" / "%" / ; Used for atoms
> "&" / "'" /
> "*" / "+" /
> "-" / "/" /
> "=" / "?" /
> "^" / "_" /
> "`" / "{" /
> "|" / "}" /
> "~"

> dot-atom-text = 1*atext *("." 1*atext)

Starts with one of atext? Yep. No consecutive periods? Yep.

What's the problem?

--
I noticed that but was still trying to work out a way of drawing it
to everyone's attention that would be sufficiently satisfying,
combining maximum entertainment value for readers with maximum
humiliation for you. -- Laura
Re: More fake order spam [ In reply to ]
On Tue, 27 Apr 2021, @lbutlr wrote:

> On 27 Apr 2021, at 11:57, Steve Dondley <s@dondley.com> wrote:
>> On 2021-04-27 01:19 PM, Dave Wreski wrote:
>>> Invalid List-ID. You can then use that with other weirdness in a meta.
>>> header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/
>>> meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__LIST_ID_DOMAIN_IN_BRACKETS
>>> score LIST_ID_IMPROPER_FORMAT 0.001
>>> describe LIST_ID_IMPROPER_FORMAT List-id has improper format
>>
>> You lost me here. The spam has this:
>>
>> List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>
>>
>> That's not legit? It's in brackets.
>
> That was my question as well, AFAIK that conforms to the requirements of a List-ID header.
>
> Looks legit to me.
>
> This is the spec.

...

> Starts with one of atext? Yep. No consecutive periods? Yep.
>
> What's the problem?

SpamAssassin is not a standards-compliance audit tool. If a given header
formatting is compliant but weird and appears more in spam than in ham,
it's useable.

What catches my eye about that header is that it appears to be base64
encoded, and is *not* "properly" annotated with a character set like:

=?ISO-8859-1?B?MzY3NDAxMi01Nzg2LTU=?=

Thus, while complaint to the spec, the format may make it a useful spam
sign.


FWIW, I have one example like that in my ham:

List-Id: MTYxNzU4MS0zNjUtMg== <MTYxNzU4MS0zNjUtMg==.list-id.mailin.fr>

and several in spam:

List-Id: MjMwNDI4NS05OTM1MDktMTI= <MjMwNDI4NS05OTM1MDktMTI=.list-id.academiasbrasil.com>
List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= <MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>
List-Id: MjcyODE0MS02ODgxNTktNDQ= <MjcyODE0MS02ODgxNTktNDQ=.list-id.soju-online.com>
List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= <MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>
List-Id: MzAzNzIzMS0yMzk4NzEtMTA= <MzAzNzIzMS0yMzk4NzEtMTA=.list-id.mailin.fr>
List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= <MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>
List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= <MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>
List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= <MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>

It appears to be a feature of a specific mailing list or mass mailing
application - Sendinblue, perhaps, as the ham has:

X-Mailer: Sendinblue

Is it worth a rule for evaluation in masscheck? Maybe. Not tonight,
though.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men, it has been well said, think in herds; it will be seen that
they go mad in herds, while they only recover their senses slowly,
and one by one. -- Charles MacKay, 1852
-----------------------------------------------------------------------
4 days until May Day - Remember 110 million people murdered by Communism
Re: More fake order spam [ In reply to ]
On 27.04.21 12:51, Steve Dondley wrote:
>Spam report:
>
>Content analysis details: (-2.3 points, 5.0 required)
>
> pts rule name description
>---- ----------------------
>--------------------------------------------------
>-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
> [185.41.28.7 listed in
>hostkarma.junkemailfilter.com]

KAM set.

haven't met this list so far, but according to experiences with such lists,
I'd be very careful to give them such score.

>-1.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> [score: 0.0000]

you need proper training.

>-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
> manager

I have disabled his rule some time ago.
Many spammers use mailing list or their signatures.

> 2.0 LOCAL_SPAM_TLD Domain originates a lot of spam

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: More fake order spam [ In reply to ]
On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote:
>
>> -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
>>                            manager
>
> I have disabled his rule some time ago.
> Many spammers use mailing list or their signatures.
Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded score ?

Giovanni
Re: More fake order spam [ In reply to ]
On 2021-04-28 11:55, Giovanni Bechis wrote:
> On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote:
>>
>>> -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen
>>> list
>>>                            manager
>>
>> I have disabled his rule some time ago.
>> Many spammers use mailing list or their signatures.
> Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded
> score ?

i have -20 there :=)

but also local uribl enlists to catch spam

no dns for me

keep it very negative ensures not rejecting maillists

maybe harden with !FREEMAIL_FROM

or DKIM_VALID_EF

if that hits its direct mailling and possible spam, while ! is maillist
often :=)
Re: More fake order spam [ In reply to ]
>>On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote:
>>>>-1.0 MAILING_LIST_MULTI???? Multiple indicators imply a
>>>>widely-seen list
>>>>?????????????????????????? manager
>>>
>>>I have disabled his rule some time ago.
>>>Many spammers use mailing list or their signatures.

>On 2021-04-28 11:55, Giovanni Bechis wrote:
>>Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded
>>score ?

On 28.04.21 12:18, Benny Pedersen wrote:
>i have -20 there :=)

>but also local uribl enlists to catch spam
>
>no dns for me
>
>keep it very negative ensures not rejecting maillists
>
>maybe harden with !FREEMAIL_FROM
>
>or DKIM_VALID_EF
>
>if that hits its direct mailling and possible spam, while ! is
>maillist often :=)

I looked around my spam folder, I see that I did:

score MAILING_LIST_MULTI -0.001

just to see the rule if it hits.

out of 120 spams currently, I see many spams from google(groups), mailjet
and other list providers I haven't signed for.

some do hit FREEMAIL_FROM, some don't.

funny is that they hit FREEMAIL_FORGED_FROMDOMAIN because of
@googlegroups.com envelope but gmail.com From, which is expected for mailing
list.

some hit DKIM_VALID_EF, some don't

...DKIM_VALID_EF is imho useless, because mail should to be signed with DKIM of
header domain, not envelope.


while I agree that MAILING_LIST_MULTI can be used in meta rules, it's
neither of those, and none I currently know of.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins. -- Daffy Duck & Porky Pig
Re: More fake order spam [ In reply to ]
On 4/28/21 12:59 PM, Matus UHLAR - fantomas wrote:
>>> On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote:
>>>>> -1.0 MAILING_LIST_MULTI???? Multiple indicators imply a widely-seen list
>>>>> ?????????????????????????? manager
>>>>
>>>> I have disabled his rule some time ago.
>>>> Many spammers use mailing list or their signatures.
>
>> On 2021-04-28 11:55, Giovanni Bechis wrote:
>>> Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded score ?
>
> On 28.04.21 12:18, Benny Pedersen wrote:
>> i have -20 there :=)
>
>> but also local uribl enlists to catch spam
>>
>> no dns for me
>>
>> keep it very negative ensures not rejecting maillists
>>
>> maybe harden with !FREEMAIL_FROM
>>
>> or DKIM_VALID_EF
>>
>> if that hits its direct mailling and possible spam, while ! is maillist often :=)
>
> I looked around my spam folder, I see that I did:
>
> score?? MAILING_LIST_MULTI????? -0.001
>
> just to see the rule if it hits.
>
> out of 120 spams currently, I see many spams from google(groups), mailjet
> and other list providers I haven't signed for.
>
> some do hit FREEMAIL_FROM, some don't.
>
~8% of my daily spam hits MAILING_LIST_MULTI and only 0.2% hits both MAILING_LIST_MULTI and FREEMAIL_FROM for me.




> funny is that they hit FREEMAIL_FORGED_FROMDOMAIN because of
> @googlegroups.com envelope but gmail.com From, which is expected for mailing
> list.
>
> some hit DKIM_VALID_EF, some don't
>
> ...DKIM_VALID_EF is imho useless, because mail should to be signed with DKIM of
> header domain, not envelope.
>
>
> while I agree that MAILING_LIST_MULTI can be used in meta rules, it's
> neither of those, and none I currently know of.
Re: More fake order spam [ In reply to ]
On 2021-04-28 13:10, Giovanni Bechis wrote:

> ~8% of my daily spam hits MAILING_LIST_MULTI and only 0.2% hits both
> MAILING_LIST_MULTI and FREEMAIL_FROM for me.

meta DIRECT_MAILLIST_NOT_FREEMAIL_FROM (MAILING_LIST_MULTI &&
!(FREEMAIL_FROM || DKIM_VALID_EF))

DKIM_VALID_EF is valid only on direct mailling, so it harden
maillist....

but i have no corpus to test it with

still have to see a valid maillist using freemail as sender

YMMV :)
Re: More fake order spam [ In reply to ]
Hi,

> >-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
> > manager
>
> I have disabled his rule some time ago.
> Many spammers use mailing list or their signatures.

Where is the score coming from for this rule? There isn't an explicit
"score" value associated with the rule.

describe MAILING_LIST_MULTI Multiple indicators imply a
widely-seen list manager
meta MAILING_LIST_MULTI __HAS_X_LOOP + __HAS_X_MAILING_LIST +
__HAS_X_MAILMAN_VERSION + __HAS_LIST_ID + __HAS_X_BEEN_THERE
+__DOS_HAS_LIST_UNSUB + __ML1 + __ML3 + __ML4 + __ML5 > 2
tflags MAILING_LIST_MULTI nice

If everyone (figuratively speaking, I suppose) is disabling it,
wouldn't it be helpful to define it explicitly or see how it's doing
in masschecks?

It seems like it would be helpful to look at ways mailing lists are
manipulated by spammers more closely and perhaps find some anomalies
there.
Re: More fake order spam [ In reply to ]
On Wed, 28 Apr 2021, Giovanni Bechis wrote:

> On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote:
>>
>>> -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
>>>                            manager
>>
>> I have disabled his rule some time ago.
>> Many spammers use mailing list or their signatures.
>
> Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded score ?

According to masscheck it's a fairly hammy indicator:

https://ruleqa.spamassassin.org/20210427-r1889231-n/MAILING_LIST_MULTI/detail#new

SPAM% HAM% S/O RANK SCORE NAME
3.4717 19.9221 0.148 0.48 -1.00 MAILING_LIST_MULTI



--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When violence comes, and brings your death with it -- *die well*,
for that is the only thing you can change about your death.
-- Lawdog
-----------------------------------------------------------------------
3 days until May Day - Remember 110 million people murdered by Communism
Re: More fake order spam [ In reply to ]
On 27 Apr 2021, at 23:01, John Hardin wrote:

> What catches my eye about that header is that it appears to be base64
> encoded, and is *not* "properly" annotated with a character set

Indeed, all of the examples decode to strings matching
'\d{7}-\d{3,6}-\d{2}'

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: More fake order spam [ In reply to ]
>> >-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
>> > manager
>>
>> I have disabled his rule some time ago.
>> Many spammers use mailing list or their signatures.

On 28.04.21 09:54, Alex wrote:
>Where is the score coming from for this rule? There isn't an explicit
>"score" value associated with the rule.

i was curious too, and found this:

tflags SYMBOLIC_TEST_NAME flags
nice
The test is intended to compensate for common false positives,
and should be assigned a negative score.


>describe MAILING_LIST_MULTI Multiple indicators imply a
>widely-seen list manager
>meta MAILING_LIST_MULTI __HAS_X_LOOP + __HAS_X_MAILING_LIST +
>__HAS_X_MAILMAN_VERSION + __HAS_LIST_ID + __HAS_X_BEEN_THERE
>+__DOS_HAS_LIST_UNSUB + __ML1 + __ML3 + __ML4 + __ML5 > 2
>tflags MAILING_LIST_MULTI nice
>
>If everyone (figuratively speaking, I suppose) is disabling it,
>wouldn't it be helpful to define it explicitly or see how it's doing
>in masschecks?
>
>It seems like it would be helpful to look at ways mailing lists are
>manipulated by spammers more closely and perhaps find some anomalies
>there.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows. -- Matthew D. Fuller
Re: More fake order spam [ In reply to ]
On 2021-04-28 16:57, Matus UHLAR - fantomas wrote:

> i was curious too, and found this:
>
> tflags SYMBOLIC_TEST_NAME flags
> nice
> The test is intended to compensate for common false
> positives,
> and should be assigned a negative score.

what will nice do when score is -100, and what will nice do when score
is 100 ?

imho it does not hold water with that requirement for negative scores
Re: More fake order spam [ In reply to ]
On 28 Apr 2021, at 9:54, Alex wrote:

> Hi,
>
>>> -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen
>>> list
>>> manager
>>
>> I have disabled his rule some time ago.
>> Many spammers use mailing list or their signatures.
>
> Where is the score coming from for this rule? There isn't an explicit
> "score" value associated with the rule.

Default score is 1 for 'spam' rules, -1 for 'nice' rules.

> describe MAILING_LIST_MULTI Multiple indicators imply a
> widely-seen list manager
> meta MAILING_LIST_MULTI __HAS_X_LOOP + __HAS_X_MAILING_LIST +
> __HAS_X_MAILMAN_VERSION + __HAS_LIST_ID + __HAS_X_BEEN_THERE
> +__DOS_HAS_LIST_UNSUB + __ML1 + __ML3 + __ML4 + __ML5 > 2
> tflags MAILING_LIST_MULTI nice
>
> If everyone (figuratively speaking, I suppose) is disabling it,

Not figuratively, hyperbolically...

In my experience, most SA users never touch the scores of default rules.

> wouldn't it be helpful to define it explicitly or see how it's doing
> in masschecks?

As a ham-sign it is doing reasonably well. S/O is consistently <0.2.

> It seems like it would be helpful to look at ways mailing lists are
> manipulated by spammers more closely and perhaps find some anomalies
> there.

It's very hard to analyze spam you never see. The last time I saw
MAILING_LIST_MULTI make the difference in a false negative was
2020-11-12. That was also the last time it hit anything that scored less
than 6 that wasn't a FP, i.e. where it was too weak to save ham from the
pit. Most of the spam it hits for me scores so high that I keep nothing
of it but log entries.

The one FN from last November that I do have is problematic for
identifying any FN pattern. Aside from being a single example, its
idiosyncrasies are due to a tool that is in broad use by both spammers
and non-spammers.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

1 2  View All