Mailing List Archive: SpamAssassin: users

sneaky pharma spam shooting past standard rules

1 2

View All

Index | Next | Previous | View Threaded

Jason.Haar at trimble

Oct 15, 2009, 8:38 AM

Post #1 of 36 (1281 views)
Permalink

sneaky pharma spam shooting past standard rules

I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares. Clever usage of SPANs appear to enable it
to sneak straight by SA.

http://pastebin.com/m56d2db96

Is this something SA normally has components in place to catch/parse?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

jarif at iki

Oct 15, 2009, 8:44 AM

Post #2 of 36 (1235 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

15.10.2009 18:38, Jason Haar kirjoitti:
> I just received what appeared to be a standard "certain north american
> country" pharma spam that went straight by rules I have that normally
> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
> blatantly shouting its wares. Clever usage of SPANs appear to enable it
> to sneak straight by SA.
>
> http://pastebin.com/m56d2db96
>
> Is this something SA normally has components in place to catch/parse?
>

Spam detection software, running on the system
"wellington.fredriksson.dy.fi", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: All customers know that �Can cfl adia gp nPha
tgj rmacy�
online dru kjw gstore is the cheapest place to buy me co dica iih
tions online.
Now it is confirmed by the results of survey taken by the Independent He
lxq alth Orga cqp nization. [...]

Content analysis details: (20.2 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
[79.163.117.156 listed in
bb.barracudacentral.org]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[79.163.117.156 listed in zen.spamhaus.org]
1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[79.163.117.156 listed in
hostkarma.junkemailfilter.com]
0.0 PRICES_ARE_AFFORDABLE BODY: Message says that prices aren't too
expensive
0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
1.2 KHOP_2IPS_RCVD Received: Relay identifies itself as wrong IP
6.0 L_TAB_IN_FROM L_TAB_IN_FROM
4.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=79.163.117.156,rdns=public30108.xdsl.centertel.pl,maildomain=ooshop.com,client,ipinhostname,clientwords]
2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.9231]
1.0 HTML_MESSAGE BODY: HTML included in message
2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.

--
http://www.iki.fi/jarif/

Jason.Haar at trimble

Oct 15, 2009, 9:03 AM

Post #3 of 36 (1232 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On 10/15/2009 09:44 AM, Jari Fredriksson wrote:
>
> Spam detection software, running on the system
> "wellington.fredriksson.dy.fi", has
> identified this incoming email as possible spam. The original message
> ...

I assume you are trying to imply that SA does catch it. Well it has been
a while since *I* received it, and I guess it's now showing up in RBLs
(which is where all your score came from). What I was trying to ask
(poorly) was that I have a tonne of third-party add-on rules that catch
based on text-matching, and they are all failing due to those sneaky
<SPAN> tricks it uses. I thought SA had an HTML parser that attempts to
remove some HTML tricks, and so was asking why SA was missing those. If
I edit that message and remove the SPAN-trick, suddenly text-rules
trigger all over the place.

Hopefully that makes more sense :-)

PS: L_TAB_IN_FROM is a new one on me

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

jhardin at impsec

Oct 15, 2009, 9:08 AM

Post #4 of 36 (1232 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu, 15 Oct 2009, Jason Haar wrote:

> I just received what appeared to be a standard "certain north american
> country" pharma spam that went straight by rules I have that normally
> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
> blatantly shouting its wares. Clever usage of SPANs appear to enable it
> to sneak straight by SA.
>
> http://pastebin.com/m56d2db96

27. Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f)
(79.163.117.156)
28. by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300

You might want to consider instituting a HELO-no-dots reject at SMTP time
on your MTA. That rejects a _ton_ of garbage here.

The spans do look suspicious, I'm putting a rule into my sandbox...

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Users mistake widespread adoption of Microsoft Office for the
development of a document format standard.
-----------------------------------------------------------------------
14 days since a sunspot last seen - EPA blames CO2 emissions

rick_knight at rlknight

Oct 15, 2009, 9:38 AM

Post #5 of 36 (1229 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

John Hardin wrote:
> On Thu, 15 Oct 2009, Jason Haar wrote:
>
>> I just received what appeared to be a standard "certain north american
>> country" pharma spam that went straight by rules I have that normally
>> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
>> blatantly shouting its wares. Clever usage of SPANs appear to enable it
>> to sneak straight by SA.
>>
>> http://pastebin.com/m56d2db96
>
> 27. Received: from public30108.xdsl.centertel.pl (HELO
> marcin-8963fd6f) (79.163.117.156)
> 28. by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300
>
> You might want to consider instituting a HELO-no-dots reject at SMTP
> time on your MTA. That rejects a _ton_ of garbage here.
>
> The spans do look suspicious, I'm putting a rule into my sandbox...
>
John,

What are using to filter on HELO-no-dots? I've looked at milter-regex,
but I can't get it to build on my slackware 12 system.

Thanks,
Rick

me at junc

Oct 15, 2009, 9:40 AM

Post #6 of 36 (1228 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu 15 Oct 2009 05:44:30 PM CEST, Jari Fredriksson wrote

>> http://pastebin.com/m56d2db96

spruceclose dot com redirect

listed in a number of bl now

from equal replyto

badrelay

--
xpoint

me at junc

Oct 15, 2009, 10:03 AM

Post #7 of 36 (1231 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu 15 Oct 2009 06:08:02 PM CEST, John Hardin wrote

> The spans do look suspicious, I'm putting a rule into my sandbox...

wonder if google knows about a tilde r user in the server

2 tilde chars in the url

double //

tidy finds some errors in html

--
xpoint

jhardin at impsec

Oct 15, 2009, 10:07 AM

Post #8 of 36 (1237 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu, 15 Oct 2009, Rick Knight wrote:

> John Hardin wrote:
>>
>> 27. Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f)
>> (79.163.117.156)
>> 28. by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300
>>
>> You might want to consider instituting a HELO-no-dots reject at SMTP
>> time on your MTA. That rejects a _ton_ of garbage here.
>
> What are using to filter on HELO-no-dots?

I'm using milter-regex. My sample config is here:

http://www.impsec.org/~jhardin/antispam/

What is your MTA if it's not sendmail? It may have a similar capability
built in.

> I've looked at milter-regex, but I can't get it to build on my slackware
> 12 system.

That is surprising. What errors are you getting? (That's OT for SA, feel
free to contact me directly if you want and I'll see if I can help.)

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Health Care _is_ a right - the government has no business keeping
you from getting it. But forcing somebody else to pay for your
health care at gunpoint (i.e. through taxation) is _not_ a right.
-----------------------------------------------------------------------
14 days since a sunspot last seen - EPA blames CO2 emissions

rick_knight at rlknight

Oct 15, 2009, 10:22 AM

Post #9 of 36 (1227 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

John Hardin wrote:
> On Thu, 15 Oct 2009, Rick Knight wrote:
>
>> John Hardin wrote:
>>>
>>> 27. Received: from public30108.xdsl.centertel.pl (HELO
>>> marcin-8963fd6f)
>>> (79.163.117.156)
>>> 28. by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42
>>> +1300
>>>
>>> You might want to consider instituting a HELO-no-dots reject at SMTP
>>> time on your MTA. That rejects a _ton_ of garbage here.
>>
>> What are using to filter on HELO-no-dots?
>
> I'm using milter-regex. My sample config is here:
>
> http://www.impsec.org/~jhardin/antispam/
>
> What is your MTA if it's not sendmail? It may have a similar
> capability built in.
>
>> I've looked at milter-regex, but I can't get it to build on my
>> slackware 12 system.
>
> That is surprising. What errors are you getting? (That's OT for SA,
> feel free to contact me directly if you want and I'll see if I can help.)
>
Thanks John,

I'm using Sendmail and I've built it with milter support. I've looked at
your milter-regex config and it looks like something I want to
implement. I downloaded milter-regex, but I can't get it to build. I'll
email you directly with the errors I'm getting.

Thanks,
Rick

cgregory at hwcn

Oct 15, 2009, 10:48 AM

Post #10 of 36 (1230 views)
Permalink

Re: [sa] sneaky pharma spam shooting past standard rules [In reply to]

Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is
still catching them..... LOL

The key to this trick is the spammer tries to insert 'invisible' text.
Either very small font size, as in your example, or colors that match the
background, or both, so that the intended wording merely appears a little
'gappy' to the human eye. Also watch for use of the style 'visibility'
attribute with either DIV or SPAN. Usually appears in the same 'batch' of
spams.... :)

- Charles

On Thu, 15 Oct 2009, Jason Haar wrote:
> I just received what appeared to be a standard "certain north american
> country" pharma spam that went straight by rules I have that normally
> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
> blatantly shouting its wares. Clever usage of SPANs appear to enable it
> to sneak straight by SA.
>
> http://pastebin.com/m56d2db96
>
> Is this something SA normally has components in place to catch/parse?
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

jhardin at impsec

Oct 15, 2009, 12:02 PM

Post #11 of 36 (1238 views)
Permalink

Re: [sa] sneaky pharma spam shooting past standard rules [In reply to]

On Thu, 15 Oct 2009, Charles Gregory wrote:

> Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is
> still catching them..... LOL

None of the existing FLOAT rules caught these.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
W-w-w-w-w-where did he learn to n-n-negotiate like that?
-----------------------------------------------------------------------
14 days since a sunspot last seen - EPA blames CO2 emissions

uhlar at fantomas

Oct 15, 2009, 12:24 PM

Post #12 of 36 (1234 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

>>> What are using to filter on HELO-no-dots?
>>
>> I'm using milter-regex. My sample config is here:
>>
>> http://www.impsec.org/~jhardin/antispam/
>>
>> What is your MTA if it's not sendmail? It may have a similar
>> capability built in.

On 15.10.09 10:22, Rick Knight wrote:
> I'm using Sendmail and I've built it with milter support. I've looked at
> your milter-regex config and it looks like something I want to
> implement. I downloaded milter-regex, but I can't get it to build. I'll
> email you directly with the errors I'm getting.

use

FEATURE(`block_bad_helo')

in sendmail.mc
--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.

kurt.buff at gmail

Oct 15, 2009, 12:25 PM

Post #13 of 36 (1223 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu, Oct 15, 2009 at 08:38, Jason Haar <Jason.Haar [at] trimble> wrote:
> I just received what appeared to be a standard "certain north american
> country" pharma spam that went straight by rules I have that normally
> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
> blatantly shouting its wares. Clever usage of SPANs appear to enable it
> to sneak straight by SA.
>
> http://pastebin.com/m56d2db96
>
> Is this something SA normally has components in place to catch/parse?
>
> --

With this:

Received: from public30108.xdsl.centertel.pl (HELO
marcin-8963fd6f) (79.163.117.156)

my postfix setup would have simply dropped it on the floor at the
HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't
talk to it.

Kurt

antispam at khopis

Oct 15, 2009, 12:43 PM

Post #14 of 36 (1234 views)
Permalink

Re: [SA] sneaky pharma spam shooting past standard rules [In reply to]

Jari Fredriksson wrote:
> 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
> 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> 1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
> 0.0 PRICES_ARE_AFFORDABLE BODY: Message says that prices aren't too
> 0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
> 1.2 KHOP_2IPS_RCVD Received: Relay identifies itself as wrong IP
> 6.0 L_TAB_IN_FROM L_TAB_IN_FROM
> 4.0 BOTNET Relay might be a spambot or virusbot
> 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
> 1.0 HTML_MESSAGE BODY: HTML included in message
> 2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL

Of those 20.2 points, 2.9 are from stock SA, and the 2.0 from Bayes
doesn't count in helping people's configs. HTML_MESSAGE is dangerous
to bump up to 1.0 ... MIME_HTML_ONLY (1.5) takes care of most of the
HTML-based spam, while HTML_MESSAGE will trip over almost everything
(it hit 87% of the masscheck spam but also hit 27% of the ham), see
http://ruleqa.spamassassin.org/week/HTML_MESSAGE/detail

Of the remaining points, my channels (see link in my sig) contributed
6.2 by bringing in BRBL and HostKarma (plus DNSBL_BUMP) plus my other
rules like 2IPS (though the original post had "IN_BCUDA_RBL" plus some
rules penalizing mail from New Zealand).

The rest comes from BotNet and whatever L_TAB_IN_FROM is.
Google directs me to a post to this list from two months ago
(2009/08/22 18:19 UTC and 2009/08/06 20:50 UTC, both from Mike Cappella).

A score of 6 is FREAKISHLY high, even for something with a very low FP
rate. I'd score that around 1.2 if I trusted it. I like it, so I'm
throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now:

# @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
header MC_TAB_IN_FROM From:raw =~ /^\t/m
describe MC_TAB_IN_FROM From: Contains a tab
score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2

--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam

me at junc

Oct 15, 2009, 12:50 PM

Post #15 of 36 (1228 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu 15 Oct 2009 09:24:44 PM CEST, Matus UHLAR - fantomas wrote

> FEATURE(`block_bad_helo')
> in sendmail.mc

if i remember sendmail it need to be added in sendmail.m4 and when
saved, m4 sendmail.m4 will create sendmail.mc

--
xpoint

jhardin at impsec

Oct 15, 2009, 1:02 PM

Post #16 of 36 (1235 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu, 15 Oct 2009, Matus UHLAR - fantomas wrote:

>>>> What are using to filter on HELO-no-dots?
>>>
>>> I'm using milter-regex. My sample config is here:
>>>
>>> http://www.impsec.org/~jhardin/antispam/
>>>
>>> What is your MTA if it's not sendmail? It may have a similar
>>> capability built in.
>
> On 15.10.09 10:22, Rick Knight wrote:
>> I'm using Sendmail and I've built it with milter support.
>
> use
>
> FEATURE(`block_bad_helo')
>
> in sendmail.mc

Has it been made easier to exclude netblocks - like your local network -
from that check? You don't want to do HELO rejects on mail originating
from local network MUAs that are misconfigured.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I would buy a Mac today if I was not working at Microsoft.
-- James Allchin, Microsoft VP of Platforms
-----------------------------------------------------------------------
14 days since a sunspot last seen - EPA blames CO2 emissions

me at junc

Oct 15, 2009, 1:30 PM

Post #17 of 36 (1232 views)
Permalink

Re: [SA] sneaky pharma spam shooting past standard rules [In reply to]

On Thu 15 Oct 2009 09:43:52 PM CEST, Adam Katz wrote

> # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
> header MC_TAB_IN_FROM From:raw =~ /^\t/m
> describe MC_TAB_IN_FROM From: Contains a tab
> score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2

also tab on date

maybe mata both so

--
xpoint

mysqlstudent at gmail

Oct 15, 2009, 4:31 PM

Post #18 of 36 (1220 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

Hi,

> With this:
>
> � � �Received: from public30108.xdsl.centertel.pl (HELO
> marcin-8963fd6f) (79.163.117.156)
>
> my postfix setup would have simply dropped it on the floor at the
> HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't
> talk to it.

Kurt, can you explain how you're doing it with postfix?

Thanks,
Alex

antispam at khopis

Oct 15, 2009, 4:40 PM

Post #19 of 36 (1216 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

Rick Knight wrote:
> John,
>
> What are using to filter on HELO-no-dots? I've looked at milter-regex,
> but I can't get it to build on my slackware 12 system.

That would be the __HELO_NO_DOMAIN rule, modified from vanilla 3.2.5
by updates.spamassassin.org to something less useful and then reverted
back by Justin Mason in subversion, see
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jm/20_basic.cf?revision=825439&view=markup#l84

Scoring at http://ruleqa.spamassassin.org/week/__HELO_NO_DOMAIN/detail
>> MSECS SPAM% HAM% S/O RANK SCORE NAME
>> 0 19.9863 1.1186 0.947 0.61 (n/a) __HELO_NO_DOMAIN

Included in khop-general (be wary of wrapping):

# from SVN at rulesrc/sandbox/jm/20_basic.cf
header __HELO_NO_DOMAIN
X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /

meta KHOP_NO_FQDN __HELO_NO_DOMAIN && (RDNS_NONE || RDNS_DYNAMIC)
describe KHOP_NO_FQDN HELO: not a domain, no static reverse DNS on IP
score KHOP_NO_FQDN 0.5 # 20090603

I used (RDNS_NONE || RDNS_DYNAMIC) in an attempt to limit the damage
to ham ... my recollection is that the rulesqa stats were less
favorable when I wrote the rule back in June. I saved a copy of
__HELO_NO_DOMAIN spam/ham hits over time (those disappear
occasionally) at http://yfrog.com/athelonodomainhist2009101g -- it
does appear to have had more FPs.

This rule needs to be revisited as it doesn't hit anything despite the
fact that it blends only high-traffic rules:

rule my spam% corpus% %of RDNS_NONE %of RDNS_DYN
__HELO_NO_FQDN unknown 20.0% 86% <21%
RDNS_NONE 18.8% 57.6% 100% 0%
RDNS_DYNAMIC 9.9% 25.6% 0% 100%
KHOP_NO_FQDN 0.1% unknown (2.2%) (0%)

If you're wondering why these are so low ... I use greylisting, which
is specifically good at picking out what these rules catch. Assuming
86% overlap with RDNS_NONE (and no overlap with RDNS_DYNAMIC),
KHOP_NO_FQDN would catch 50% of the spam corpus, which is serious
stuff, but using my own overlap number of 2.2%, that's 1.27%, which
might not be so bad. (Parenthesis are my own data since no data for
the masscheck is available.)

kremels at kreme

Oct 15, 2009, 4:55 PM

Post #20 of 36 (1220 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On 15-Oct-2009, at 17:31, MySQL Student wrote:

> Hi,
>
>> With this:
>>
>> Received: from public30108.xdsl.centertel.pl (HELO
>> marcin-8963fd6f) (79.163.117.156)
>>
>> my postfix setup would have simply dropped it on the floor at the
>> HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we
>> don't
>> talk to it.
>
> Kurt, can you explain how you're doing it with postfix?

I'm not kurt, but how about

reject_unknown_sender_domain

That's what I use.

--
Oh never resist an impulse, Sabrina. Especially if it's terrible.

kremels at kreme

Oct 15, 2009, 4:57 PM

Post #21 of 36 (1228 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On 15-Oct-2009, at 17:31, MySQL Student wrote:
> Kurt, can you explain how you're doing it with postfix?

Sorry, pasted the wrong thing in the previous email.

smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit

--
Rincewind had always been happy to think of himself as a racist.
The One Hundred Meters, the Mile, the Marathon -- he'd run them
all.

kremels at kreme

Oct 15, 2009, 5:02 PM

Post #22 of 36 (1223 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On 15-Oct-2009, at 17:57, LuKreme wrote:
> smtpd_helo_restrictions = permit_mynetworks,
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> permit

Oh, and for the record, on my mail server these two restrictions stop
50% of all attempted connections. That's 50% that don't even make it
to transaction, much less to SpamAssassin.

--
Oh, he's just like any other man, only more so.

jhardin at impsec

Oct 15, 2009, 5:07 PM

Post #23 of 36 (1223 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu, 15 Oct 2009, LuKreme wrote:

> On 15-Oct-2009, at 17:57, LuKreme wrote:
>> smtpd_helo_restrictions = permit_mynetworks,
>> reject_invalid_helo_hostname,
>> reject_non_fqdn_helo_hostname,
>> permit
>
> Oh, and for the record, on my mail server these two restrictions stop
> 50% of all attempted connections. That's 50% that don't even make it to
> transaction, much less to SpamAssassin.

I haven't run the numbers, but that sounds about like what I'm seeing too.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Win95: Where do you want to go today?
Vista: Where will Microsoft allow you to go today?
-----------------------------------------------------------------------
14 days since a sunspot last seen - EPA blames CO2 emissions

cpollock at embarqmail

Oct 15, 2009, 5:12 PM

Post #24 of 36 (1226 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

On Thu, 2009-10-15 at 09:38 -0600, Jason Haar wrote:
> I just received what appeared to be a standard "certain north american
> country" pharma spam that went straight by rules I have that normally
> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
> blatantly shouting its wares. Clever usage of SPANs appear to enable it
> to sneak straight by SA.
>
> http://pastebin.com/m56d2db96
>
> Is this something SA normally has components in place to catch/parse?
>
FYIW short-circuit kicked in when the clamav plugin hit. I'm running the
third party sigs and it hit on Sanesecurity.Hdr.8239.UNOFFICIAL.

--
KeyID 0xE372A7DA98E6705C

Attachments:

signature.asc (0.19 KB)

d.hill at yournetplus

Oct 15, 2009, 5:15 PM

Post #25 of 36 (1218 views)
Permalink

Re: sneaky pharma spam shooting past standard rules [In reply to]

Quoting LuKreme <kremels [at] kreme>:

> On 15-Oct-2009, at 17:31, MySQL Student wrote:
>
>> Hi,
>>
>>> With this:
>>>
>>> Received: from public30108.xdsl.centertel.pl (HELO
>>> marcin-8963fd6f) (79.163.117.156)
>>>
>>> my postfix setup would have simply dropped it on the floor at the
>>> HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't
>>> talk to it.
>>
>> Kurt, can you explain how you're doing it with postfix?
>
> I'm not kurt, but how about
>
> reject_unknown_sender_domain
>
> That's what I use.

That will reject unknown sender domains. How about:

reject_non_fqdn_helo_hostname

An example from the logs:

Oct 16 00:00:05 smtpgate postfix/smtpd[80448]: NOQUEUE: reject: RCPT
from 68.115.206-77.rev.gaoland.net[77.206.115.68]:2082: 504 5.5.2
<utilisat77cfbd>: Helo command rejected: need fully-qualified
hostname; from=<from [at] example> to=<to [at] example> proto=ESMTP
helo=<utilisat77cfbd>

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads