From the project page at: https://github.com/telecom2k3/CHAOS here's
what's transpired since my last CHAOS module SA-User's post:
Version 1.2.0
Date: June 21, 2021
*
New Eval, check_reference_doms() controls how many @domain.tld
references can appear in a Reference header.
*
Strut your stuff and rock your wares with a new Eval, systeminfo().
This callout-only tags Emails with any combination of CHAOS,
SpamAssassin, and PERL versions, followed by a description:
|CHAOS: v1.2.0 SA: v3.4.6 PERL: v5.26.1 - This system rocks!|
*
(Very)? Verbose versioning [-V, -VV] returns the Unicode Version of
your PERL.
*
Continued additions to Admin Fraud and Fraud Body rules.
*
Additions to First Names, X-Mailers, User-Agents, Public Short URLs.
*
Fixed error messages thrown when check_email_greets() Eval handles
Emails with only BCC recipients.
*
Complete removal of chaos_high and chaos_max score levels. CHAOS now
pegs any of its scores to a single chaos_tag value.
<https://github.com/telecom2k3/CHAOS/wiki/CHANGELOG#notes>Notes
Auto mode scoring has been changed in that any single rule hit will not
force Emails to be tagged as spam.
Auto mode scores are simply an arithmetic fraction of the configured
chaos_tag value.
<https://github.com/telecom2k3/CHAOS/wiki/CHANGELOG#version-112>Version
1.1.2
Date: May 20, 2021
*
All kinds of useful information added to mailer_check(); tons of stuff.
*
New checks for Identical and Multiple Headers added.
*
Exchange Header detection and sanity checking added.
*
All kinds of additional header sanity checks have been added.
*
New Eval, check_email_greets(), per SA-Users 5/7, "Hi
$emailuserpart" - with internationalizations.
*
Complete Versioning is provided:
|perl /$PATH_TO/CHAOS.pm [-v, --version] # CHAOS.pm, PERL, SA Version|
|perl /$PATH_TO/CHAOS.pm [-V, --verbose] # Above + PERL libraries
for SA|
|perl /$PATH_TO/CHAOS.pm [-VV, --very] # Above + SA physical file paths|
*
SendGrid Eval merged into mailer_check and now can generate two rules:
|JR_SGRID_DIRECT (SendGrid or Partners)|
|JR_SGRID_FWD (Forwarded via ISP/References)|
*
Cleanup of rule "Description" field output throughout the module.
*
Additonal additions to ADMIN_FRAUD Body AND Subject rules.
*
MMs added to Honorifics.
*
The ADMIN_FRAUD Body Eval/rule is commented out by default now in
the CHAOS.cf file.
<https://github.com/telecom2k3/CHAOS/wiki/CHANGELOG#notes-1>Notes
Parsing an Email body from within a plugin is neither easy or efficient.
It is far better to have the rules compiled via sa-compile/re2c. The
ADMIN_FRAUD Body rules are still there and have even been expanded; just
commented out by default in the CHAOS.cf file.
I'm happy with the progress of the mailer_check() Eval. It is not quite
a complete EMail fingerprint/signature kit, but there is now sufficient
data returned to make it a good time to work towards publishing some
rulesets.
Surprisingly, the Multiple Header detections have been quite useful at
detecting infected Exchange Servers, particularly noted with the
"X-MS-Exchange-CrossTenant-FromEntityHeader" header.
what's transpired since my last CHAOS module SA-User's post:
Version 1.2.0
Date: June 21, 2021
*
New Eval, check_reference_doms() controls how many @domain.tld
references can appear in a Reference header.
*
Strut your stuff and rock your wares with a new Eval, systeminfo().
This callout-only tags Emails with any combination of CHAOS,
SpamAssassin, and PERL versions, followed by a description:
|CHAOS: v1.2.0 SA: v3.4.6 PERL: v5.26.1 - This system rocks!|
*
(Very)? Verbose versioning [-V, -VV] returns the Unicode Version of
your PERL.
*
Continued additions to Admin Fraud and Fraud Body rules.
*
Additions to First Names, X-Mailers, User-Agents, Public Short URLs.
*
Fixed error messages thrown when check_email_greets() Eval handles
Emails with only BCC recipients.
*
Complete removal of chaos_high and chaos_max score levels. CHAOS now
pegs any of its scores to a single chaos_tag value.
<https://github.com/telecom2k3/CHAOS/wiki/CHANGELOG#notes>Notes
Auto mode scoring has been changed in that any single rule hit will not
force Emails to be tagged as spam.
Auto mode scores are simply an arithmetic fraction of the configured
chaos_tag value.
<https://github.com/telecom2k3/CHAOS/wiki/CHANGELOG#version-112>Version
1.1.2
Date: May 20, 2021
*
All kinds of useful information added to mailer_check(); tons of stuff.
*
New checks for Identical and Multiple Headers added.
*
Exchange Header detection and sanity checking added.
*
All kinds of additional header sanity checks have been added.
*
New Eval, check_email_greets(), per SA-Users 5/7, "Hi
$emailuserpart" - with internationalizations.
*
Complete Versioning is provided:
|perl /$PATH_TO/CHAOS.pm [-v, --version] # CHAOS.pm, PERL, SA Version|
|perl /$PATH_TO/CHAOS.pm [-V, --verbose] # Above + PERL libraries
for SA|
|perl /$PATH_TO/CHAOS.pm [-VV, --very] # Above + SA physical file paths|
*
SendGrid Eval merged into mailer_check and now can generate two rules:
|JR_SGRID_DIRECT (SendGrid or Partners)|
|JR_SGRID_FWD (Forwarded via ISP/References)|
*
Cleanup of rule "Description" field output throughout the module.
*
Additonal additions to ADMIN_FRAUD Body AND Subject rules.
*
MMs added to Honorifics.
*
The ADMIN_FRAUD Body Eval/rule is commented out by default now in
the CHAOS.cf file.
<https://github.com/telecom2k3/CHAOS/wiki/CHANGELOG#notes-1>Notes
Parsing an Email body from within a plugin is neither easy or efficient.
It is far better to have the rules compiled via sa-compile/re2c. The
ADMIN_FRAUD Body rules are still there and have even been expanded; just
commented out by default in the CHAOS.cf file.
I'm happy with the progress of the mailer_check() Eval. It is not quite
a complete EMail fingerprint/signature kit, but there is now sufficient
data returned to make it a good time to work towards publishing some
rulesets.
Surprisingly, the Multiple Header detections have been quite useful at
detecting infected Exchange Servers, particularly noted with the
"X-MS-Exchange-CrossTenant-FromEntityHeader" header.