Scans and Invoice spam containg HREF to something bad

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Scans and Invoice spam containg HREF to something bad

Andy Smith-2

Hi all,


  the last week or so we are having a lot of problems with emails either with subjects like "New Approach Contractors Ltd wants to share Scan" or "Invoice INV-03056 from Encompass Environmental Ltd" which contian an HREF to see your "scan" or "invoice" at a URL ending  /share or /directory respectively. These aren't detected by Spamassassin, I have Razor and iHash configured running on Spamassassin 3.4.1. Even when I have Bayes learn a few examples, subsequent Spams can get Bayes as low as 50%.

Example: https://pastebin.com/85v2nHkF

My question is does anyone have any ideas/tips/rules for catching these. I've created a custom rule that checks for the subject and HREF, but ever time a new variant comes out I'll have to update this. Anyone got any better solutions?


thanks in advance, Andy.


Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

Kevin A. McGrail-5
Are you using the KAM.cf ruleset?

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project

On Tue, Jun 19, 2018 at 10:39 AM, Andy Smith <[hidden email]> wrote:

Hi all,


  the last week or so we are having a lot of problems with emails either with subjects like "New Approach Contractors Ltd wants to share Scan" or "Invoice INV-03056 from Encompass Environmental Ltd" which contian an HREF to see your "scan" or "invoice" at a URL ending  /share or /directory respectively. These aren't detected by Spamassassin, I have Razor and iHash configured running on Spamassassin 3.4.1. Even when I have Bayes learn a few examples, subsequent Spams can get Bayes as low as 50%.

Example: https://pastebin.com/85v2nHkF

My question is does anyone have any ideas/tips/rules for catching these. I've created a custom rule that checks for the subject and HREF, but ever time a new variant comes out I'll have to update this. Anyone got any better solutions?


thanks in advance, Andy.



Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

Andy Smith-2

Hi Kevin,


  No I wasn't. I just added it, I get a lot of errors like "meta test KAM_WARRANTY3 has dependency 'CBJ_GiveMeABreak' with a zero score", is this normal?

Testing despite these errors the only rule I'm getting a hit on from KAM is JMQ_SPF_NEUTRAL_ALL


thanks, Andy. 

 


On 19-06-2018 16:51, Kevin A. McGrail wrote:

Are you using the KAM.cf ruleset?
 
Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

Kevin A. McGrail-5
The warnings are OK though make sure you have the nonKAMrules.cf as well.

I'm not seeing really any of these spamples for us and agree.  It's scoring in the 1.2 range for me.

Clearly seems to be compromised url so RBLs are you likely bet but you might be a patient 0 for a new engine.  

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project

On Tue, Jun 19, 2018 at 11:00 AM, Andy Smith <[hidden email]> wrote:

Hi Kevin,


  No I wasn't. I just added it, I get a lot of errors like "meta test KAM_WARRANTY3 has dependency 'CBJ_GiveMeABreak' with a zero score", is this normal?

Testing despite these errors the only rule I'm getting a hit on from KAM is JMQ_SPF_NEUTRAL_ALL


thanks, Andy. 

 


On 19-06-2018 16:51, Kevin A. McGrail wrote:

Are you using the KAM.cf ruleset?
 

Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

Andy Smith-2

Hi Kevin,


  I'm not really getting any joy with the RBLs. I have, for example, a sample from the 14th and, taking away my custom rule, Bayes and KAM scores, the default score would be "0" :( 

Content here: https://pastebin.com/dthDn8yb


thanks, Andy.


On 19-06-2018 17:12, Kevin A. McGrail wrote:

The warnings are OK though make sure you have the nonKAMrules.cf as well.
 
I'm not seeing really any of these spamples for us and agree.  It's scoring in the 1.2 range for me.
 
Clearly seems to be compromised url so RBLs are you likely bet but you might be a patient 0 for a new engine.  
--
Kevin A. McGrail
 
Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

Kevin A. McGrail-5
Well you are welcome to send me new Spamples to look at.  As I noted, I've never seen these variants and RBLs aren't hitting them which ALSO means you have some new variants.

Regards,
KAM

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project

On Tue, Jun 19, 2018 at 11:20 AM, Andy Smith <[hidden email]> wrote:

Hi Kevin,


  I'm not really getting any joy with the RBLs. I have, for example, a sample from the 14th and, taking away my custom rule, Bayes and KAM scores, the default score would be "0" :( 

Content here: https://pastebin.com/dthDn8yb


thanks, Andy.


On 19-06-2018 17:12, Kevin A. McGrail wrote:

The warnings are OK though make sure you have the nonKAMrules.cf as well.
 
I'm not seeing really any of these spamples for us and agree.  It's scoring in the 1.2 range for me.
 
Clearly seems to be compromised url so RBLs are you likely bet but you might be a patient 0 for a new engine.  
--
Kevin A. McGrail
 

Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

Andy Smith-2

This has literally just come through to me, zero BAYES and got passed my custom rule as the HREF URL has changed:


https://pastebin.com/pBfhXd6B


thanks, Andy.

 


On 19-06-2018 17:33, Kevin A. McGrail wrote:

Well you are welcome to send me new Spamples to look at.  As I noted, I've never seen these variants and RBLs aren't hitting them which ALSO means you have some new variants.
 
Regards,
KAM
Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

Kevin A. McGrail-5
To me, it looks like a compromised network and it's whack a mole to list them as fast as possible.

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project

On Tue, Jun 19, 2018 at 11:38 AM, Andy Smith <[hidden email]> wrote:

This has literally just come through to me, zero BAYES and got passed my custom rule as the HREF URL has changed:


https://pastebin.com/pBfhXd6B


thanks, Andy.

 


On 19-06-2018 17:33, Kevin A. McGrail wrote:

Well you are welcome to send me new Spamples to look at.  As I noted, I've never seen these variants and RBLs aren't hitting them which ALSO means you have some new variants.
 
Regards,
KAM

Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

David Jones
In reply to this post by Andy Smith-2
On 06/19/2018 10:38 AM, Andy Smith wrote:

> This has literally just come through to me, zero BAYES and got passed my
> custom rule as the HREF URL has changed:
>
>
> https://pastebin.com/pBfhXd6B
>
>
> thanks, Andy.
>
>
> On 19-06-2018 17:33, Kevin A. McGrail wrote:
>
>> Well you are welcome to send me new Spamples to look at.  As I noted,
>> I've never seen these variants and RBLs aren't hitting them which ALSO
>> means you have some new variants.
>> Regards,
>> KAM

Content analysis details:   (11.0 points, 5.0 required)

  pts rule name              description
---- ----------------------
--------------------------------------------------
  1.2 ENA_SUBJ_INVOICE       Subject contains suspicious invoice wording
  0.2 SPF_NONE               SPF: sender does not publish an SPF Record
  0.0 HTML_MESSAGE           BODY: HTML included in message
  1.2 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.5037]
  3.2 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
  0.8 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
                             anti-forgery methods
  2.2 ENA_RELAY_NOT_US       Relayed from outside the US and not on
whitelists
  2.2 ENA_SPF_NONE           Add points for suspicious emails that don't
have an SPF
                             setup.
  0.0 ENA_BAD_SPAM           Spam hitting really bad rules.

--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

David Jones
In reply to this post by Andy Smith-2
On 06/19/2018 10:38 AM, Andy Smith wrote:

> This has literally just come through to me, zero BAYES and got passed my
> custom rule as the HREF URL has changed:
>
>
> thanks, Andy.
>
>
> On 19-06-2018 17:33, Kevin A. McGrail wrote:
>
>> Well you are welcome to send me new Spamples to look at.  As I noted,
>> I've never seen these variants and RBLs aren't hitting them which ALSO
>> means you have some new variants.
>> Regards,
>> KAM

Content analysis details:   (11.0 points, 5.0 required)

  pts rule name              description
---- ----------------------
--------------------------------------------------
  1.2 ENA_SUBJ_INVOICE       Subject contains suspicious invoice wording
  0.2 SPF_NONE               SPF: sender does not publish an SPF Record
  0.0 HTML_MESSAGE           BODY: HTML included in message
  1.2 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.5037]
  3.2 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
  0.8 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
                             anti-forgery methods
  2.2 ENA_RELAY_NOT_US       Relayed from outside the US and not on
whitelists
  2.2 ENA_SPF_NONE           Add points for suspicious emails that don't
have an SPF
                             setup.
  0.0 ENA_BAD_SPAM           Spam hitting really bad rules.

I am trying to reply to this thread but these emails look so spammy that
my outbound filtering is blocking them.

FYI The IVM_URI BL is catching onto these very quickly.  Good job, Rob!

--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: Scans and Invoice spam containg HREF to something bad

RW-15
In reply to this post by Andy Smith-2
On Tue, 19 Jun 2018 16:39:09 +0200
Andy Smith wrote:

> Hi all,
>
>   the last week or so we are having a lot of problems with emails
> either with subjects like "New Approach Contractors Ltd wants to
> share Scan" or "Invoice INV-03056 from Encompass Environmental Ltd"
> which contian an HREF to see your "scan" or "invoice" at a URL
> ending  /share or /directory respectively. These aren't detected by
> Spamassassin, I have Razor and iHash configured running on
> Spamassassin 3.4.1. Even when I have Bayes learn a few examples,
> subsequent Spams can get Bayes as low as 50%.
>
> Example: https://pastebin.com/85v2nHkF 
>
> My question is does anyone have any ideas/tips/rules for catching
> these. I've created a custom rule that checks for the subject and
> HREF, but ever time a new variant comes out I'll have to update this.
> Anyone got any better solutions?

I think in this day and age if an email has 'invoice' in the subject,
and doesn't pass either dkim or spf, it's worth a few points.
Reply | Threaded
Open this post in threaded view
|

SPF PermError (was: "Re: Scans and Invoice spam containg HREF to something bad")

Chip M.
In reply to this post by Andy Smith-2
On Tue, Jun 19, 2018 at 11:00 AM, Andy Smith <[hidden email]> wrote:
> Testing despite these errors the only rule I'm getting a hit on from KAM
> is JMQ_SPF_NEUTRAL_ALL

Andy, thanks for the very useful spamples! :)

Could somebody do a sanity check on the SPF record for
"ballybofeycarpets.com"?
I get a PermError, not SPF_NEUTRAL.
I checked using 2 different DNS servers.

Is that a bug, or an intentionally incomplete implementation?
If one skips the "a mx ptr" mechanisms, it would return Neutral.

In the first version of my own SPF code, I chose just to implement
the "ip4" and "include" mechanisms, on the theory that nobody in
their right mind would use the above three... and, of course, was
subsequently surprised at the high rate of non-right-mindedness. ;)
(I blame the abundant poor examples cut-and-pasted by cheap/bulk
webhosting companies.)


Occasionally, I see PermError with Really Big companies.
Typically, they do have a DMARC record, so should be receiving
reports, however I rarely see the problem(s) fixed.
If some SPF implementations are not returning PermError, that would
explain some of those.

*** Is there some generally accepted way to contact those companies?
Maybe their Postmaster?
Probably a lost cause, but it's frustrating seeing Broke Stuff. :(
        - "Chip"