X-Mailer: domain

Hi,

I've started seeing spam email containing an X-Mailer header which is
the domain name of the From header. Eg:

From: "Compare and Cover Life" <info@...>
X-Mailer: webguide103.com

How would I construct a spamassassin rule to check for this?

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

On Wed, July 1, 2009 01:23, Mike Cardwell wrote:
> From: "Compare and Cover Life" <info@...>
> X-Mailer: webguide103.com
 > How would I construct a spamassassin rule to check for this?

impossible without a pluging, would be faster to reject sender in mta

--
xpoint

On Wed, 1 Jul 2009, Benny Pedersen wrote:

>
> On Wed, July 1, 2009 01:23, Mike Cardwell wrote:
>> From: "Compare and Cover Life" <info@...>
>> X-Mailer: webguide103.com
> > How would I construct a spamassassin rule to check for this?
>
> impossible without a pluging

...unless you just do a loose X-Mailer-looks-like-a-domain-name rule.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Democrats '61: Ask not what your country can do for you,
    ask what you can do for your country.
   Democrats '07: Ask not what your country can do for you,
    demand it!
-----------------------------------------------------------------------
  4 days until the 233rd anniversary of the Declaration of Independence

On Wed, 2009-07-01 at 00:23 +0100, Mike Cardwell wrote:
> I've started seeing spam email containing an X-Mailer header which is
> the domain name of the From header. Eg:
>
> From: "Compare and Cover Life" <info@...>
> X-Mailer: webguide103.com

The *first* question should be, how are these scoring generally, and if
it's worth the effort. If they sneak by, there's usually a more
fundamental problem than a missing rule like this.

That said -- nice catch. :)


> How would I construct a spamassassin rule to check for this?

Using the all-magic, all-dancing pseudo ALL header [1], and a brave mix
of RE modifiers like /m and /s [2], to handle multi-line strings. :)

Something like this should do. DO NOTE that I just hacked it up in the
email, and did NOT test it. Mind the manual line wrap.

header FROM_EQ_XM  ALL =~
 /^From: [^\@]+\@(?:[^.]+\.)?([^.]+\.[^.]+)>?\$.{0,400}^X-Mailer: \1\$/msi


Now what the fuck does that do? The /m enables multi-line matching, so ^
and $ match the beginning and end of a line respectively, rather than of
the string (which would be the entire headers).

First, we identify a From header, consume all the crap before the @,
optionally also consume a host without capturing (the (?:...)? part).
The trailing example.com we do capture, followed by an optional closing
bracket and the end of the line \$. Note that this appears slightly over
complicated, but it is important -- the dot also matches \n, due to
the /s modifier.

Then match whatever header junk there is, up to an arbitrary bound of
400 chars. With an X-Mailer header following, that matches the domain we
just captured, up to the end of the header. Et voila. :)

Note that this only matches this particular order of headers, so you
might need a second (sub-)rule (meta'd together) to match the reverse.

End proof of concept. ;)

  guenther


[1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
[2] http://perldoc.perl.org/perlre.html

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

On Tue, 2009-06-30 at 16:50 -0700, John Hardin wrote:
> On Wed, 1 Jul 2009, Benny Pedersen wrote:

> > > From: "Compare and Cover Life" <info@...>
> > > X-Mailer: webguide103.com
> > > How would I construct a spamassassin rule to check for this?
> >
> > impossible without a pluging

Meep. Wrong!

> ...unless you just do a loose X-Mailer-looks-like-a-domain-name rule.

Both of you. ;)

Granted, the loose look-a-like rule probably even would be worth a point
of its own -- but where's the fun in that?


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

> > Both of you. ;)
>
> Mea culpa. I _never_ think of header ALL rules.

See my RATWARE_OUTLOOK rule. ;)

Reminds me of an important bit I meant to add, but forgot. It's pretty
important to properly anchor matches and limit wildcard matching with
multi-line RE's -- otherwise they can easily bog down your server!


> > Granted, the loose look-a-like rule probably even would be worth a point
> > of its own -- but where's the fun in that?

This one of course would be cheap.


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

On Wed, 1 Jul 2009, Karsten Bräckelmann wrote:
> header FROM_EQ_XM  ALL =~
> /^From: [^\@]+\@(?:[^.]+\.)?([^.]+\.[^.]+)>?\$.{0,400}^X-Mailer: \1\$/msi

Firstly, my thanks. This syntax provides the functionality I was asking
for in another thread where I wanted to capture things like the appearance
of the recipients e-mail address on the subject line, or cases where the
from and to headers are identical.

I haven't tried a rule continaing '\$', but I'm suprised that your usage
seems to contradict the standard rule of escaping special characters to
have them appear literally in an RE. I would guess that this is to keep
Perl from treating the '$' as the indicator of a variable substitution.
Does Perl permit this syntax because of the /m modifier? What if I want a
literal $ in my RE? :)

Anyways, thanks again for this neat tool. Now all I need is a way to
detect the 'To' address being used at the top of the message body (as in,
"dear blah@wherever").....

- C

On Wed, 2009-07-01 at 08:01 -0400, Charles Gregory wrote:
> On Wed, 1 Jul 2009, Karsten Bräckelmann wrote:
> > header FROM_EQ_XM  ALL =~
> > /^From: [^\@]+\@(?:[^.]+\.)?([^.]+\.[^.]+)>?\$.{0,400}^X-Mailer: \1\$/msi
>
> Firstly, my thanks. This syntax provides the functionality I was asking
> for in another thread where I wanted to capture things like the appearance
> of the recipients e-mail address on the subject line, or cases where the
> from and to headers are identical.

You're welcome, glad to see it being useful for more than this original
question.

(BTW, I once at least briefly outlined that To EQ From is possible in a
plain header rule, back when this was a recurring topic.)


> I haven't tried a rule continaing '\$', but I'm suprised that your usage
> seems to contradict the standard rule of escaping special characters to
> have them appear literally in an RE. I would guess that this is to keep
> Perl from treating the '$' as the indicator of a variable substitution.
> Does Perl permit this syntax because of the /m modifier? What if I want a
> literal $ in my RE? :)

You snipped the part where I claimed the rule to be untested. ;)

You are correct, both \$ should actually not be escaped here. When I
wrote that, I was looking at a multi-line rule that actually matches a
literal $, thus it is escaped...

Also, I wrongly escaped the @. Actually, that should be mixed [^@]+\@,
not escaped in the char class, escaped outside. Or so I guess. Please
try for yourself. I did mention it's a proof-of-concept I did not run,
right? ;)


> Anyways, thanks again for this neat tool. Now all I need is a way to
> detect the 'To' address being used at the top of the message body (as in,
> "dear blah@wherever").....

Be careful with 'full' rules. You'd better paranoidly anchor your RE and
strictly limit matching, never using unbound quantifiers. A header and
body combining rule will be really hard anyway, if safely possible at
all. I *strongly* suggest a plugin for this purpose.

  guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

On Wed, 1 Jul 2009, Karsten Bräckelmann wrote:
> Be careful with 'full' rules. You'd better paranoidly anchor your RE and
> strictly limit matching....

(nod) This is why my original question was about using the 'capture'
function. What I WANT to use for a ruleset is something like:

header LOC_FROM From =~ /[^<]*<([^>]+)(?^N $LOCVAR_FROM=\1)>/
rawbody LOC_BODYTOP /^[^a-z](Dear|Hello|Hi),? $LOCVAR_FROM/

But Spamassassin says that eval (in the first rule) is disabled.....

But that is a mechanism I would love to use, rather than the longer
syntax that you've shown. It allows for simple multiple tests,
for the from addres in To, Subject, top of body, etc, without re-scanning
the header for the From line each time....

> I *strongly* suggest a plugin for this purpose.

My suggestion hinges on *one* important question:
Do the rules in the user .cf files get processed IN ORDER?
Or does spamassassin perform some sort of optimization that combines
different rules into one 'scan'? If the former, then capturing a variable
value in one rule to be used in subsequent rules would work easily, just
by enabling those 'eval's. But if the latter, then your /msi code is the
only way to do what I want. :)

- Charles