Rechnung offline Spam

Discussion:

Johan Hendriks

2014-06-11 13:41:49 UTC

Hello all.

I am trying to stop some spam but it seems MailScanner just lets them
pass...

It is about mail with the following Subject.
RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728)

So i made a custum.cf file with the following

header TELECOM_SUBJECT Subject =~ /RechnungOnline/i
score TELECOM_SUBJECT 5.1
describe TELECOM_SUBJECT Telekom spam

Is my rule not ok, and is it looking for a subject ONLY with
RechnungOnline ??

Secondly the mail contains a Trojan and that also is getting through?

Could someone please help me.

regards
Johan

Bryan Laurila

2014-06-11 18:43:07 UTC

Permalink

From what I have read, when writing custom rules these lines should be
added to the /etc/mail/spamassassin/local.cf file. Below is an example
of one of my custom rules to subtract 2.0 from the spam score for
messages coming through our mail encryption service. You may want to
consider "ALL" instead of just "Subject" in your test line for broader
coverage but I believe that your syntax is correct.

#
#Subtract 2.0 from Spam Score for any ZIX processed message
header ZIX_MESSAGE ALL =~ /zixvpm/
score ZIX_MESSAGE -2.0 -2.0 -2.0 -2.0
describe ZIX_MESSAGE Lower Score of ZIX Messages
#

See also: http://wiki.apache.org/spamassassin/WritingRules

Bryan S. Laurila
Senior Network Support Analyst
Dickinson County Healthcare System

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Johan
Hendriks
Sent: Wednesday, June 11, 2014 8:42 AM
To: MailScanner List (mailscanner at lists.mailscanner.info)
Subject: Rechnung offline Spam

Hello all.

I am trying to stop some spam but it seems MailScanner just lets them
pass...

It is about mail with the following Subject.
RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728)

So i made a custum.cf file with the following

header TELECOM_SUBJECT Subject =~ /RechnungOnline/i
score TELECOM_SUBJECT 5.1
describe TELECOM_SUBJECT Telekom spam

Is my rule not ok, and is it looking for a subject ONLY with
RechnungOnline ??

Secondly the mail contains a Trojan and that also is getting through?

Could someone please help me.

regards
Johan

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Confidentiality Notice:

This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. As required by federal and state laws, you need to hold this information as privileged and confidential.

This message may contain Protected Health Information (PHI). PHI is personal and sensitive information related to a person's health care. It is being emailed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law.

If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying or distribution of this information is Strictly Prohibited. If you have received this communication in error, please notify the sender and destroy all copies of this communication and any attachments.

Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, MI 49801, www.dchs.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140611/a41bdf14/attachment.html

Joolee

2014-06-11 20:07:26 UTC

Permalink

Also notice that your spamassassin folder probably has a special
configuration file to be used by MailScanner. You can identify this file by
examining the symbolic link in the configuration folder for MailScanner.

Post by Bryan Laurila
From what I have read, when writing custom rules these lines should be
added to the /etc/mail/spamassassin/local.cf file. Below is an example
of one of my custom rules to subtract 2.0 from the spam score for messages
coming through our mail encryption service. You may want to consider
"ALL" instead of just "Subject" in your test line for broader coverage
but I believe that your syntax is correct.
#
#Subtract 2.0 from Spam Score for any ZIX processed message
header ZIX_MESSAGE ALL =~ /zixvpm/
score ZIX_MESSAGE -2.0 -2.0 -2.0 -2.0
describe ZIX_MESSAGE Lower Score of ZIX Messages
#
See also: *http://wiki.apache.org/spamassassin/WritingRules*
<http://wiki.apache.org/spamassassin/WritingRules>
Bryan S. Laurila
Senior Network Support Analyst
Dickinson County Healthcare System
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [
mailto:mailscanner-bounces at lists.mailscanner.info
<mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Johan Hendriks
Sent: Wednesday, June 11, 2014 8:42 AM
To: MailScanner List (mailscanner at lists.mailscanner.info)
Subject: Rechnung offline Spam
Hello all.
I am trying to stop some spam but it seems MailScanner just lets them
pass...
It is about mail with the following Subject.
RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728)
So i made a custum.cf file with the following
header TELECOM_SUBJECT Subject =~ /RechnungOnline/i
score TELECOM_SUBJECT 5.1
describe TELECOM_SUBJECT Telekom spam
Is my rule not ok, and is it looking for a subject ONLY with
RechnungOnline ??
Secondly the mail contains a Trojan and that also is getting through?
Could someone please help me.
regards
Johan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
* Confidentiality Notice: *
This e-mail communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named
above. If you are not the intended recipient, you are hereby notified that
you have received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its contents is
prohibited. As required by federal and state laws, you need to hold this
information as privileged and confidential.
This message may contain Protected Health Information (PHI). PHI is
personal and sensitive information related to a person's health care. It
is being emailed to you after appropriate authorization from the patient or
under circumstances that do not require patient authorization. You, the
recipient, are obligated to maintain it in a safe, secure and confidential
manner. Re-disclosure without additional patient consent or as permitted
by law is prohibited. Unauthorized re-disclosure or failure to maintain
confidentiality could subject you to penalties described in federal and
state law.
If you are not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any disclosure, copying or distribution of this information
is *Strictly Prohibited*. If you have received this communication in
error, please notify the sender and destroy all copies of this
communication and any attachments.
Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron
Mountain, MI 49801, www.dchs.org
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140611/3323dbed/attachment.html

Johan Hendriks

2014-06-12 09:08:02 UTC

Permalink

Post by Joolee
Also notice that your spamassassin folder probably has a special
configuration file to be used by MailScanner. You can identify this
file by examining the symbolic link in the configuration folder for
MailScanner.
On 11 June 2014 20:43, Bryan Laurila <Bryan.Laurila at dchs.org
From what I have read,when writing custom rules these lines should
be added to the /etc/mail/spamassassin/local.cf <http://local.cf>
file. Below is an example of one of my custom rules to subtract
2.0 from the spam score for messages coming through our mail
encryption service. You may want to consider "ALL" instead of
just "Subject" in your test linefor broader coveragebut I believe
that your syntax is correct.
#
#Subtract 2.0 from Spam Score for any ZIX processed message
header ZIX_MESSAGE ALL =~ /zixvpm/
score ZIX_MESSAGE -2.0 -2.0 -2.0 -2.0
describe ZIX_MESSAGE Lower Score of ZIX Messages
#
See also:_http://wiki.apache.org/spamassassin/WritingRules_
Bryan S. Laurila
Senior Network Support Analyst
Dickinson County Healthcare System
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
<mailto:mailscanner-bounces at lists.mailscanner.info>
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
Johan Hendriks
Sent: Wednesday, June 11, 2014 8:42 AM
To: MailScanner List (mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info>)
Subject: Rechnung offline Spam
Hello all.
I am trying to stop some spam but it seems MailScanner just lets
them pass...
It is about mail with the following Subject.
RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728)
So i made a custum.cf <http://custum.cf> file with the following
header TELECOM_SUBJECT Subject =~ /RechnungOnline/i
score TELECOM_SUBJECT 5.1
describe TELECOM_SUBJECT Telekom spam
Is my rule not ok, and is it looking for a subject ONLY with
RechnungOnline ??
Secondly the mail contains a Trojan and that also is getting through?
Could someone please help me.
regards
Johan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, readhttp://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
*Confidentiality Notice: *
This e-mail communication and any attachments may contain
confidential and privileged information for the use of the
designated recipients named above. If you are not the intended
recipient, you are hereby notified that you have received this
communication in error and that any review, disclosure,
dissemination, distribution or copying of it or its contents is
prohibited. As required by federal and state laws, you need to
hold this information as privileged and confidential.
This message may contain Protected Health Information (PHI). PHI
is personal and sensitive information related to a person's health
care. It is being emailed to you after appropriate authorization
from the patient or under circumstances that do not require
patient authorization. You, the recipient, are obligated to
maintain it in a safe, secure and confidential manner.
Re-disclosure without additional patient consent or as permitted
by law is prohibited. Unauthorized re-disclosure or failure to
maintain confidentiality could subject you to penalties described
in federal and state law.
If you are not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are
hereby notified that any disclosure, copying or distribution of
this information is *Strictly Prohibited*. If you have received
this communication in error, please notify the sender and destroy
all copies of this communication and any attachments.
Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron
Mountain, MI 49801, www.dchs.org <http://www.dchs.org>
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!

Thank you for the reply's I will look into it a little more.

regards
Johan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140612/4a4593cb/attachment.html

Holger Gebhard

2014-06-13 09:06:06 UTC

Permalink

Hi Johan,

this is my current anti-phishing rule for the telekom spams. If the spammers
change the messages from time to time you must tweak the regex a little bit.

header __PHISHING_TXT_14060401 Subject =~ /RechnungOnline Monat/i
body __PHISHING_TXT_14060402 /(?:als Anlage (?:ist|erhalten
Sie)|diese Nachricht finden Sie) die Rechnung \d+ als
PDF.{1,5}(?:Datei|Anhang)/i
body __PHISHING_TXT_14060403
/rechnung(?:_|-)(?:januar|februar|m.rz|april|mai|juni|juli|august|september|
oktober|november|dezember)((?:_|-)201\d)?(?:_|-)(?:\d|-)+((?:_|-)sign?)?\.zi
p/i
meta TELEKOM_PHISHING_01 (__PHISHING_TXT_14060401 &&
__PHISHING_TXT_14060402 && __PHISHING_TXT_14060403)
score TELEKOM_PHISHING_01 5.0
describe TELEKOM_PHISHING_01 Typical phishing message parts

Best regards

Holger

-----Urspr?ngliche Nachricht-----
Von: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Im Auftrag von Johan
Hendriks
Gesendet: Mittwoch, 11. Juni 2014 15:42
An: MailScanner List (mailscanner at lists.mailscanner.info)
Betreff: Rechnung offline Spam

Hello all.

I am trying to stop some spam but it seems MailScanner just lets them
pass...

It is about mail with the following Subject.
RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728)

So i made a custum.cf file with the following

header TELECOM_SUBJECT Subject =~ /RechnungOnline/i
score TELECOM_SUBJECT 5.1
describe TELECOM_SUBJECT Telekom spam

Is my rule not ok, and is it looking for a subject ONLY with RechnungOnline
??

Secondly the mail contains a Trojan and that also is getting through?

Could someone please help me.

regards
Johan

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Holger Gebhard

2014-06-13 10:05:35 UTC

Permalink

Hi Johan,

the copy/paste destroyed my rule...
The right rule is attached in a text now ;-)

Best regards

Holger

-----Urspr?ngliche Nachricht-----
Von: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Im Auftrag von Holger
Gebhard
Gesendet: Freitag, 13. Juni 2014 11:06
An: 'MailScanner discussion'
Betreff: AW: Rechnung offline Spam

Hi Johan,

this is my current anti-phishing rule for the telekom spams. If the spammers
change the messages from time to time you must tweak the regex a little bit.

header __PHISHING_TXT_14060401 Subject =~ /RechnungOnline Monat/i
body __PHISHING_TXT_14060402 /(?:als Anlage (?:ist|erhalten
Sie)|diese Nachricht finden Sie) die Rechnung \d+ als
PDF.{1,5}(?:Datei|Anhang)/i
body __PHISHING_TXT_14060403
/rechnung(?:_|-)(?:januar|februar|m.rz|april|mai|juni|juli|august|september|
oktober|november|dezember)((?:_|-)201\d)?(?:_|-)(?:\d|-)+((?:_|-)sign?)?
oktober|november|\.zi
p/i
meta TELEKOM_PHISHING_01 (__PHISHING_TXT_14060401 &&
__PHISHING_TXT_14060402 && __PHISHING_TXT_14060403)
score TELEKOM_PHISHING_01 5.0
describe TELEKOM_PHISHING_01 Typical phishing message parts

Best regards

Holger

-----Urspr?ngliche Nachricht-----
Von: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Im Auftrag von Johan
Hendriks
Gesendet: Mittwoch, 11. Juni 2014 15:42
An: MailScanner List (mailscanner at lists.mailscanner.info)
Betreff: Rechnung offline Spam

Hello all.

I am trying to stop some spam but it seems MailScanner just lets them
pass...

It is about mail with the following Subject.
RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728)

So i made a custum.cf file with the following

header TELECOM_SUBJECT Subject =~ /RechnungOnline/i
score TELECOM_SUBJECT 5.1
describe TELECOM_SUBJECT Telekom spam

Is my rule not ok, and is it looking for a subject ONLY with RechnungOnline
??

Secondly the mail contains a Trojan and that also is getting through?

Could someone please help me.

regards
Johan

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rule.txt
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140613/77bcd4c6/attachment.txt

Kai Schaetzl

2014-06-13 09:33:47 UTC

Permalink

Post by Johan Hendriks
I am trying to stop some spam but it seems MailScanner just lets them
pass...

Check if it hits. You can do this with SA --lint. If SA hits, then check
if MS runs it with the same config. An easy check if your custrom rule is
in the right place (e.g. you are doing it the first time ...) is to place
a deliberately *wrong* rule there and then run SA --lint. It should bark
about it. e.g.

header whatever

alone should be sufficient to trigger a warning or even an error with SA.
If it does you know it's in the right place, then do the same with MS.

If you put your .cf file in the SA rules directory (usually
/etc/mail/spamassassin), then it will get picked up. There is no need to
add it to another file.

Please note, that the *real* invoices by Deutsche Telekom have the *same*
subject!

A good way to identify this spam is to look for the mailer software (/^X-
Mailer:.*Blat.*/ or /^X-MimeOLE:.*Produced by Blat.*/). This spam (also
the big spam run in January) is getting sent from Windows zombies with the
help of Blat (you could also look just for a specific version, I think
it's always 3.1.1). So you can have a meta rule for them.

Also, if these messages (sometimes they come in really big quantitites)
pose a problem for your mail system you can enforce a (temporary) header
check with postfix and reject them right-away. Of course, this will reject
legitimate mailing list mail sent by Blat as well (but it's rare). So, use
it only as a temporary measure.

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com

Johan Hendriks

2014-06-13 11:18:07 UTC

Permalink

Post by Kai Schaetzl

Post by Johan Hendriks
I am trying to stop some spam but it seems MailScanner just lets them
pass...

Check if it hits. You can do this with SA --lint. If SA hits, then check
if MS runs it with the same config. An easy check if your custrom rule is
in the right place (e.g. you are doing it the first time ...) is to place
a deliberately *wrong* rule there and then run SA --lint. It should bark
about it. e.g.
header whatever
alone should be sufficient to trigger a warning or even an error with SA.
If it does you know it's in the right place, then do the same with MS.
If you put your .cf file in the SA rules directory (usually
/etc/mail/spamassassin), then it will get picked up. There is no need to
add it to another file.
Please note, that the *real* invoices by Deutsche Telekom have the *same*
subject!
A good way to identify this spam is to look for the mailer software (/^X-
Mailer:.*Blat.*/ or /^X-MimeOLE:.*Produced by Blat.*/). This spam (also
the big spam run in January) is getting sent from Windows zombies with the
help of Blat (you could also look just for a specific version, I think
it's always 3.1.1). So you can have a meta rule for them.
Also, if these messages (sometimes they come in really big quantitites)
pose a problem for your mail system you can enforce a (temporary) header
check with postfix and reject them right-away. Of course, this will reject
legitimate mailing list mail sent by Blat as well (but it's rare). So, use
it only as a temporary measure.
Kai

Thanks for the answers again.. and Holger for the rules

I put the file in /usr/local/etc/mail/spamassassin/
If i make a mistake like you said spamassassin --lint indeed barks
spamassassin --lint
Jun 13 12:25:05.692 [72537] warn: config: SpamAssassin failed to parse
line, no value provided for "header", skipping: header whatever
Jun 13 12:25:06.793 [72537] warn: lint: 1 issues detected, please rerun
with debug enabled for more information

So spamassassin reads the rule

Mailscanner --lint does not show me much about spamassassin.
In the directory where I have the custum_rule.cf file there is also a
file for the FuzzyOCR rules and that gets laoded also.

I will look and see if it all works now.

regards
Johan