Mailing List Archive

Spam : You have 5 Incoming messages
Good day Guys

We are seeing quite a few of the following spam, been delivered to our
users.

https://pastebin.com/raw/43VqDPTy

Notice the:

You have 5 Incoming messages t=
hat could not be delivered to eunice@REMOVED
Retrieve Messages and reconfigure SMTP server to avoid losing important fil=
es and messages.

Then at the bottom, see the URL try and catch the recipient.

This email it to serve as a FYI to the community and maybe a global rule
can pushed out, and secondly to ask if someone can please peer review my
below ruleset. It works, I am just wondering if it can be done better.

header HTEST Subject =~
/[0-9]?\s?(Underliverable|Incoming)?\sMessages\s(for|failed)?\s?(for)?/i
score HTEST 0.01
describe HTEST Testing new rule

Many thanks
Brent Clark
Re: Spam : You have 5 Incoming messages [ In reply to ]
On 1/30/19 2:03 AM, Brent Clark wrote:
> Good day Guys
>
> We are seeing quite a few of the following spam, been delivered to our
> users.
>
> https://pastebin.com/raw/43VqDPTy
>
> Notice the:
>
> You have 5 Incoming messages t=
> hat could not be delivered to eunice@REMOVED
> Retrieve Messages and reconfigure SMTP server to avoid losing important
> fil=
> es and messages.
>
> Then at the bottom, see the URL try and catch the recipient.
>
> This email it to serve as a FYI to the community and maybe a global rule
> can pushed out, and secondly to ask if someone can please peer review my
> below ruleset. It works, I am just wondering if it can be done better.
>
> header    HTEST Subject =~
> /[0-9]?\s?(Underliverable|Incoming)?\sMessages\s(for|failed)?\s?(for)?/i
> score     HTEST 0.01
> describe  HTEST Testing new rule
>
> Many thanks
> Brent Clark

I think you redacted/changed too much for us to be able to help without
guessing.

1. Did the original email subject have "Spam: " at the front or did your
system add that?

2. Please leave the original Received: header IPs since that doesn't
give away any sensitive information. We need those to check for RBLs.

3. Please leave any sender information like the envelope-from address
and the From: header address.

4. Only redact your recipient's address and name. Replace the
recipient's domain with something like example.com or redacted.com so it
looks like a real domain format. Otherwise, it may hit SA rules that
wouldn't trigger on the original email like TO_MALFORMED.

Here's what my SA platform scored it as but it's not going to be
accurate enough with that first redacted spample. Please send us
another one minimally redacted.

X-Spam-Status: Yes, score=5.6 required=5.0 tests=BAYES_50,HTML_MESSAGE,
TO_IN_SUBJ,TO_MALFORMED,TVD_RCVD_SINGLE,UNPARSEABLE_RELAY shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report:
* 2.2 TVD_RCVD_SINGLE Message was received from localhost
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.2 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.4993]
* 2.1 TO_MALFORMED To: has a malformed address
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
* 0.1 TO_IN_SUBJ To address is in Subject

--
David Jones
Re: Spam : You have 5 Incoming messages [ In reply to ]
On 30 Jan 2019, at 6:27, David Jones wrote:

> 4. Only redact your recipient's address and name. Replace the
> recipient's domain with something like example.com or redacted.com so
> it
> looks like a real domain format. Otherwise, it may hit SA rules that
> wouldn't trigger on the original email like TO_MALFORMED.

AND: in cases when there are multiple users and/or domains redacted in
the same message, make them distinguishable and consistent so that every
time a particular address or domain appears in the original it has the
same replacement in the redaction and each unique address or domain has
its own unique replacement.