Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Suggested Approach
Fortney at CSCConsulting
Apr 26, 2023, 11:21 PM
Post #1 of 3 (153 views)
Permalink
Here is a possible new challenge for those who like what I believe is
a "different" challenge. How would we have SA properly learn to
identify such messages?

In an eight minute period this morning, someone dumped 9 messages
into a Google mail server using one of my addresses as the FROM and
TO address without any identification I can detect.

For those that would like to investigate, the messages are in the
attached ZIP. It looks like simple Spamming but I can not assure
there are no other issues of concern.

Do not become confused by my delivery consolidation
forwarding. Please discard if no interest.

TNX - JimF

-------------------------------------------------------------
James T. Fortney, Principal
CSC Consulting Services
E-mail: Fortney@CSCConsulting.com
Snail: P.O. Box 12589
Prescott AZ 86304-2589
--------------------------------------------------------------

Attached Files:

RE: Suggested Approach [ In reply to ]
Marc at f1-outsourcing
Apr 27, 2023, 12:21 AM
Post #2 of 3 (153 views)
Permalink
>
> For those that would like to investigate, the messages are in the
> attached ZIP. It looks like simple Spamming but I can not assure
> there are no other issues of concern.
>

Put full (redacted) plaint text source message. I can't believe that message headers do not contain ip addresses. What is this 202.29.234.42?

Your spamassassin should not even be processing messages from 202.29.234.42. Your incoming mail server should not accept mail from ip's that do no have a correct reverse[2]. Then it is on a dnsbl. So it should be stopped at that stage.


[1]
[@scripts]# testrbl.sh 202.29.234.42
202.29.234.42
zen.spamhaus.org 127.0.0.11 "https://www.spamhaus.org/query/ip/202.29.234.42"
bl.spamcop.net
dul.rbl-dns.com
rbl.xxxx.xxx
rblacc.xxxx.xxx
whitelist.xxxx.xxx


[2]
[@syslog1 scripts]# digall.sh 202.29.234.42
..
202.29.234.31
202.29.234.32
202.29.234.33
202.29.234.34
202.29.234.35
202.29.234.36
202.29.234.37
202.29.234.38
202.29.234.39
202.29.234.40
202.29.234.41
202.29.234.42
202.29.234.43
202.29.234.44
202.29.234.45
202.29.234.46
202.29.234.47
202.29.234.48
202.29.234.49
202.29.234.50
202.29.234.51
202.29.234.52
202.29.234.53
...

[@syslog1 scripts]# digall.sh 209.85.219.47
209.85.219.0
209.85.219.1 mail-qv1-f1.google.com.
209.85.219.2 mail-qv1-f2.google.com.
209.85.219.3 mail-qv1-f3.google.com.
209.85.219.4 mail-qv1-f4.google.com.
209.85.219.5 mail-qv1-f5.google.com.
209.85.219.6 mail-qv1-f6.google.com.
209.85.219.7 mail-qv1-f7.google.com.
209.85.219.8 mail-qv1-f8.google.com.
209.85.219.9 mail-qv1-f9.google.com.
RE: Suggested Approach [ In reply to ]
Fortney at CSCConsulting
Apr 27, 2023, 6:44 PM
Post #3 of 3 (153 views)
Permalink
Marc (et all) -

Thank you for the reply. I will first admit that my SA skills are
very dated. I have not actively managed the product in over ten years.

I distributed the 9 messages as a ZIP file because there were so many
immediate instances. I typically refrain from trying to redact an
example because it does not give a full picture and I may redact what
someone else considers an important part. I'm sure you understand
the other reasons for not sending "real" plain text examples.

I believe I understand your analysis of the IPs you referenced, but I
don't find that Thiland IP or the Google IPs in my examples. The IPs
included in the headers are 10.221.57.15 (useless) and 209.85.208.169
which Google says "Received-SPF: pass (domain of gmail.com designates
209.85.208.169 as permitted sender)" apparently relating to
"Authentication-Results: atlas110.aol.mail.ne1.yahoo.com;". I am not
capable of reading more out of the headers.

If you, or others, are interested in researching how this traffic can
be identified as spam I am interested in learning about the process.

- JimF


At 4/27/2023 12:21 AM, Marc wrote:
> >
> > For those that would like to investigate, the messages are in the
> > attached ZIP. It looks like simple Spamming but I can not assure
> > there are no other issues of concern.
> >
>
>Put full (redacted) plaint text source message. I can't believe that
>message headers do not contain ip addresses. What is this 202.29.234.42?
>
>Your spamassassin should not even be processing messages from
>202.29.234.42. Your incoming mail server should not accept mail from
>ip's that do no have a correct reverse[2]. Then it is on a dnsbl. So
>it should be stopped at that stage.
>
>
>[1]
>[@scripts]# testrbl.sh 202.29.234.42
>202.29.234.42
> zen.spamhaus.org 127.0.0.11
> "https://www.spamhaus.org/query/ip/202.29.234.42"
> bl.spamcop.net
> dul.rbl-dns.com
> rbl.xxxx.xxx
> rblacc.xxxx.xxx
> whitelist.xxxx.xxx
>
>
>[2]
>[@syslog1 scripts]# digall.sh 202.29.234.42
>..
>202.29.234.31
>202.29.234.32
>202.29.234.33
>202.29.234.34
>202.29.234.35
>202.29.234.36
>202.29.234.37
>202.29.234.38
>202.29.234.39
>202.29.234.40
>202.29.234.41
>202.29.234.42
>202.29.234.43
>202.29.234.44
>202.29.234.45
>202.29.234.46
>202.29.234.47
>202.29.234.48
>202.29.234.49
>202.29.234.50
>202.29.234.51
>202.29.234.52
>202.29.234.53
>...
>
>[@syslog1 scripts]# digall.sh 209.85.219.47
>209.85.219.0
>209.85.219.1 mail-qv1-f1.google.com.
>209.85.219.2 mail-qv1-f2.google.com.
>209.85.219.3 mail-qv1-f3.google.com.
>209.85.219.4 mail-qv1-f4.google.com.
>209.85.219.5 mail-qv1-f5.google.com.
>209.85.219.6 mail-qv1-f6.google.com.
>209.85.219.7 mail-qv1-f7.google.com.
>209.85.219.8 mail-qv1-f8.google.com.
>209.85.219.9 mail-qv1-f9.google.com.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal