Hi Kevin, You are right, and by a lot I know what you mean, I see them too :-)
But rare are the one that fake the X-Mailer header. I can't remind
seeing one in fact.
Note: I corrected my __AJB_HAS_XEROX this very morning to:
header __AJB_MAILER_XEROX X-Mailer =~ /^WorkCentre .{3,6}/
I noticed false positives because of the declared Mailer version
(instead of "WorkCentre 1234", it's now "WorkCentre /4.03"). I realy
like version numbers that are consistent in time. This proves how
developers thought about things in the very first place.
Also, some Xerox machine do add some interesting headers:
X-Xerox-Source-IP: 192.168.2.130
X-Xerox-Source-Name: redac...@example.com
X-Xerox-DeviceType: Phaser 3635MFP
X-Xerox-DeviceName: XRX0000AADEF46B
X-Xerox-Mail-Id: 1100856957-758036596-000571194682402-758036596-535680529
I'm building rules with those, as I never saw such faked headers in
spams spoofing the Subject: Scan from a Xerox, but in the case of
forwarded scans, I keep my meta with Thread related rules.
Regards,
Alex, from prypiat.
Yes, I recycle.
On 12-11-30 09:54 AM, Kevin A. McGrail wrote:
> On 11/30/2012 8:15 AM, Alexandre Boyer wrote:
>> As a Mailer agent, I also spotted the Xerox Workcenter to have a
>> dirty bahavior.
>>
>> As I had the very same problem as Kris, I personnaly did not disabled
>> those rules but builded some metas based on X-Mailer and Subject tests:
>>
>> header __AJB_HAS_XEROX X-Mailer =~ /WorkCentre \d{3,5}/
>> header __AJB_XEROX_SUBJ Subject =~ /Scan from a Xerox/
>>
>> I meta those sub-tests with FROM_MISSP_* and I compensate for the
>> scores. As I use some KHOP rules, I also meta this with KHOP_THREADED
>> as well as with some Thread related rules to avoid blocking forwarded
>> scans.
>>
>> I did not made a deep research, I could probably customize
>> __AJB_HAS_XEROX to match specific versions of this "broken" agent,
>> but this work good like that. As they say: "first make it work, then
>> make it better." But when it works, I ususally have something else to
>> do than make it better.
>>
>> Works pretty well indeed.
> Adding to the mix, I see a LOT of phishing attempts with Scan from XYZ...
>
> Regards,
> KAM
signature.asc
Description: OpenPGP digital signature
