Mailing List Archive

On 2023-10-05 at 03:41:59 UTC-0400 (Thu, 05 Oct 2023 14:41:59 +0700)
Olivier <Olivier.Nicole@cs.ait.ac.th>
is rumored to have said:

> Hi,
>
> Recently I have received a wave of mails in the form
> From: word-olivier@somewhere.random
> To: olivier@mydomain.com
>
> Where the "olivier" part is a valid username on my domain.
>
> Is there a rule to catch these with SA?

SA does not have any way to know what the valid usernames in any domain
are. Without custom local rules, it doesn't even know what domains might
be valid for your mail system. You can, of course, create local rules
for specific users who get heavily targeted by this tactic. That does
not scale, but it can be useful.

Special rules for high-spam individuals can also help by acting as
"canary" rules, if you use the 'autolearn_force' rule tflag. This way,
when a spammer using the specific pattern starts a run, you will catch
one match, autolearn it as spam, and (hopefully) recognize its sibling
messages as such.




--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On Thu, Oct 05, 2023 at 03:15:31PM -0400, Bill Cole wrote:
> On 2023-10-05 at 03:41:59 UTC-0400 (Thu, 05 Oct 2023 14:41:59 +0700)
> Olivier <Olivier.Nicole@cs.ait.ac.th> is rumored to have said:
>
> > Recently I have received a wave of mails in the form
> > From: word-olivier@somewhere.random
> > To: olivier@mydomain.com
> >
> > Where the "olivier" part is a valid username on my domain.
> >
> > Is there a rule to catch these with SA?
>
> SA does not have any way to know what the valid usernames in any domain are.

That is of course correct, but I did not read that mail as requesting
user auto-detection, just plain matching for their user?
E.g. something like:


header __from_olivier From =~ /.*-olivier\@/
header __to_olivier To =~ /olivier\@mydomain\.com/

meta fake_oliviers __from_olivier && __to_olivier
score fake_oliviers 7.0

> Special rules for high-spam individuals can also help by acting as "canary"
> rules, if you use the 'autolearn_force' rule tflag. This way, when a spammer
> using the specific pattern starts a run, you will catch one match, autolearn
> it as spam, and (hopefully) recognize its sibling messages as such.

+1 for that.

--
Opinions above are GNU-copylefted.

On Thu, Oct 05, 2023 at 02:41:59PM +0700, Olivier wrote:

>Recently I have received a wave of mails in the form
>From: word-olivier@somewhere.random
>To: olivier@mydomain.com
>
>Where the "olivier" part is a valid username on my domain.
>
>Is there a rule to catch these with SA?

I've been seeing recently connection attempts like that. When they
first started last month, they spoofed amazon.co.jp addresses.
Recently, though, they've morphed and spoof arbitrary hosts / domains.

They seem associated with a HELO such as "VM-0-9-centos.localdomain",
with "VM-" and "-centos.localdomain" always appearing in the value.
While I don't see anything in the current ruleset that looks for that,
you could create your own rule, say one modeled after HELO_LH_LD in
72_active.cf.

You could also consider adjusting the score for RCVD_IN_PBL - all the
connections that I've seen so far have been from hosts on SpamHaus' PBL.


George
--
theall@tifaware.com

Thank you, the VM-x-yy-centos.localdomain did the trick.

Best regards,

Olivier

"George A. Theall via users" <users@spamassassin.apache.org> writes:

> On Thu, Oct 05, 2023 at 02:41:59PM +0700, Olivier wrote:
>
>>Recently I have received a wave of mails in the form
>>From: word-olivier@somewhere.random
>>To: olivier@mydomain.com
>>
>>Where the "olivier" part is a valid username on my domain.
>>
>>Is there a rule to catch these with SA?
>
> I've been seeing recently connection attempts like that. When they
> first started last month, they spoofed amazon.co.jp addresses.
> Recently, though, they've morphed and spoof arbitrary hosts / domains.
>
> They seem associated with a HELO such as "VM-0-9-centos.localdomain",
> with "VM-" and "-centos.localdomain" always appearing in the value.
> While I don't see anything in the current ruleset that looks for that,
> you could create your own rule, say one modeled after HELO_LH_LD in
> 72_active.cf.
>
> You could also consider adjusting the score for RCVD_IN_PBL - all the
> connections that I've seen so far have been from hosts on SpamHaus' PBL.
>
>
> George

--

Hi,

>> Recently I have received a wave of mails in the form
>> From: word-olivier@somewhere.random
>> To: olivier@mydomain.com
>>
>> Where the "olivier" part is a valid username on my domain.
>>
>> Is there a rule to catch these with SA?
>
> SA does not have any way to know what the valid usernames in any domain
> are. Without custom local rules, it doesn't even know what domains might
> be valid for your mail system. You can, of course, create local rules
> for specific users who get heavily targeted by this tactic. That does
> not scale, but it can be useful.

Someone could have written a plugin that does just that. I think I could
write one myself, it is quite basic programming, but I'd prefer to avoid
re-inventing the wheel.

> Special rules for high-spam individuals can also help by acting as
> "canary" rules, if you use the 'autolearn_force' rule tflag. This way,
> when a spammer using the specific pattern starts a run, you will catch
> one match, autolearn it as spam, and (hopefully) recognize its sibling
> messages as such.

I will look at that too.

Best regards,

Olivier

--

On 10/6/2023 1:22 AM, Olivier wrote:
> Hi,
>
>>> Recently I have received a wave of mails in the form
>>> From:word-olivier@somewhere.random
>>> To:olivier@mydomain.com
>>>
>>> Where the "olivier" part is a valid username on my domain.
>>>
>>> Is there a rule to catch these with SA?
>> SA does not have any way to know what the valid usernames in any domain
>> are. Without custom local rules, it doesn't even know what domains might
>> be valid for your mail system. You can, of course, create local rules
>> for specific users who get heavily targeted by this tactic. That does
>> not scale, but it can be useful.
> Someone could have written a plugin that does just that. I think I could
> write one myself, it is quite basic programming, but I'd prefer to avoid
> re-inventing the wheel.
(1) Should you go the plugin route, make sure that the variable assigned
to the
To: address field is always (set/init) to something.  Otherwise, any BCC'd
messages will throw PERL "undefined variable" errors.

https://metacpan.org/pod/Mail::SpamAssassin::PerMsgStatus lists all of
the SA
functions available to plugins and is always a good reference.
>> Special rules for high-spam individuals can also help by acting as
>> "canary" rules, if you use the 'autolearn_force' rule tflag. This way,
>> when a spammer using the specific pattern starts a run, you will catch
>> one match, autolearn it as spam, and (hopefully) recognize its sibling
>> messages as such.
> I will look at that too.
(2) SA v4.0 has support for PERL Capture Groups where the Capture Group
can be match-tested in rules.  Maybe something like this (untested):

if (version >= 4.000000)
header   __MY_TO_ADDR    To:addr =~ /(?<TO_USER_ADDR>.*)\@.*/
  header   MY_WORD         From:addr =~ /^word\-%{TO_USER_ADDR}\@/i\
  score    MY_WORD         5.0
endif


You can read more information about this function here:
https://metacpan.org/pod/Mail::SpamAssassin::Conf#CAPTURING-TAGS-USING-REGEX-NAMED-CAPTURE-GROUPS


-- Jared Hall