> -----Original Message-----
> From: Jens Teubner [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 26, 2003 4:14 AM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Proposal: Rule for faked HELOs
>
>
> Hi,
>
> although I'm definitely not a SpamAssassin expert, I observed
> a pattern
> that was present in roughly half the spam mails I got during the last
> weeks.
>
> --- snip ---
> Received: from 134.34.240.60 (unknown [202.99.169.213])
> by guanin.uni-konstanz.de (Postfix) with SMTP
> id 00DC026A9EE; Mon, 25 Aug 2003 18:48:39 +0200 (MEST)
> Received: from sq2.kn923p2.org [245.227.70.53] by 134.34.240.60 id
> --- snap ---
>
> Our incoming mail server is guanin.uni-konstanz.de, with IP
> 134.34.240.60. Obviously the spammer sent this IP with the
> HELO command.
>
> I have no idea how to write SpamAssassin patterns, but shouldn't it be
> possible to do something like
>
> Received: from {IP1} ({domainname1} [{IP2}]) from {domainname2}
>
> If {IP1} != {IP2} we could give points, even more points we
> should give
> if {IP1} is the IP of {domainname2}.
>
> I'm using SpamAssassin 2.55 with the DNS lookup features,
> together with
> procmail. And it does not seem to have a pattern like this yet.
>
> Regards,
>
> Jens
>
> --
> Jens Teubner
> University of Konstanz, Department of Computer and
> Information Sciences
>
> This email was written with 100% recycled electrons.
I posted this earlier this week. They are in testing only right now. Well
some anyway. Some are working fine. The one listed for the unknown might
need some changes. The first and 6th ones should catch what you are looking
for. The fourth one looks for something different.
**** NOTE rules could be lined wrapped due to junk MUA! :-) *****
header WORKSTATION_NAME Received =~ /^from \w+
\(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)/
describe WORKSTATION_NAME Header includes a server with no FQDN.
score WORKSTATION_NAME 0.25
header WORKSTATION_NAME2 Received =~ /^from
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/
describe WORKSTATION_NAME2 Received is missing a FQDN, IP only.
score WORKSTATION_NAME2 0.01
header WORKSTATION_NAME3 Received =~ /^from \(.?\[.?\].?\)\b/
describe WORKSTATION_NAME3 Contains an empty Recieved IP.
score WORKSTATION_NAME3 0.01
header WORKSTATION_NAME4 Received =~ /^from unknown \(\w+ \w+\)\b/
describe WORKSTATION_NAME4 Received contains an unknown FQDN with possible
HELO.
score WORKSTATION_NAME4 0.01
header WORKSTATION_NAME5 Received =~ /^from \(HELO \w+\)
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by /
describe WORKSTATION_NAME5 RCVD has no FQDN and a HELO.
score WORKSTATION_NAME5 0.01
header WORKSTATION_NAME6 Received =~ /^from \w+ \((\w+\.)?\w+\.\w+\.\w+
\[\d{1,3}\./
describe WORKSTATION_NAME6 RCVD has FQDN inside IP parens after a
workstation name.
score WORKSTATION_NAME6 0.33
header WORKSTATION_NAME7 Received =~ /^from
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} \((\w+\.)?\w+\.\w+\.\w+ \[\d{1,3}\./
describe WORKSTATION_NAME7 RCVD has IP, then IP inside parens, then IP
inside Brackets.
score WORKSTATION_NAME7 0.01
header MY_RCVD_TOKEN Received =~ /\w{5,15}\*\*merchantsoverseas\*com\@/i
describe MY_RCVD_TOKEN Received line contains a munged email address.
score MY_RCVD_TOKEN 1.5
# This is a second receival line from an internal email gateway from cp.net
# First line was legit.
# Original second line:
# Received: (cpmta 25817 invoked from network); 20 Aug 2003 19:59:48
# Possible meta rule for this later +/-
header MY_RCVD_TEST1 Received =~ /^\(\w+ \d+ \w+/
describe MY_RCVD_TEST1 RCVD from and internal net GW? Testing for S/O
score MY_RCVD_TEST1 0.01
# This is the third receival line from cp.net in series.
# Original line:
# Received: from 205.184.173.238 (HELO oemcomputer) by smtp.peoplepc.com
(209.228.32.181) with SMTP;
# Possible meta rule later on. +/-
header MY_RCVD_TEST2 Received =~ /^from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
\(HELO/
describe MY_RCVD_TEST2 RCVD has IP in no Parens, and a HELO. Possible ham
from internal email GW.
score MY_RCVD_TEST2 0.01
header MY_HEADER_TAG1 X-E =~ /./i
describe MY_HEADER_TAG1 Spam header tag found, X-E:
score MY_HEADER_TAG1 0.01
header MY_HEADER_TAG2 X-I =~ /./i
describe MY_HEADER_TAG2 Spam header tag found, X-I:
score MY_HEADER_TAG2 0.01
header MY_HEADER_TAG3 OptinId =~ /./i
describe MY_HEADER_TAG3 Spam header tag found, OptinId:
score MY_HEADER_TAG3 0.01
header MY_HEADER_TAG4 RefId =~ /./i
describe MY_HEADER_TAG4 Spam header tag found, RefId:
score MY_HEADER_TAG4 0.01
header MY_HEADER_TAG5 X-yd =~ /./i
describe MY_HEADER_TAG5 Spam header tag found, X-yd:
score MY_HEADER_TAG5 0.01
header MY_HEADER_TAG6 List-Unsubscribe =~ /^\<mailto/i
describe MY_HEADER_TAG6 Possible spam tag in list unsub, Mailto:
score MY_HEADER_TAG6 0.01
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
