OT - has my email domain been hijacked?

[Craig White]

On Wed, 2005-09-14 at 16:43 -0700, jdow wrote:
> From: <kevin.kempter at dataintellect.com>
> > On Wednesday 14 September 2005 14:16, jdow wrote:
> >> Kevin, it's called a "Joe Job". It is exceptionally common. Headers in
> >> email are pathetically easy to forge as far as the ones that existed
> >> while the email was still on the sender's machines. Often if you trace
> >> the received headers you find "discontinuities" in the chain if the
> >> spammer bothered to forge them anymore. This is one of the things that
> >> automated tools like SpamAssassin have gotten pretty good at finding.
> >> The spammers are into cleverer tricks these days. Spammers still use
> >> the "Joe Job", the forged sender, most of the time. I use it as one of
> >> my customized SpamAssassin rules, as a matter of fact. It's part of a
> >> set of rules and meta rules that can work on my addresses.
> ... lots deleted
> >
> > Thanks for the info.
> >
> > Can you send me info on what a spam assasin filter to catch these will 
> > need to
> > look like?
> 
> May I suggest several things.
> 
> 1) Join the spamassassin users list. http://www.spamassassin.org will
>    get you there even though it is an Apache project now.
> 2) Visit the SpamAssassin Rules Emporium, SARE, and look over the
>    various rule sets. http://www.rulesemporium.com/
> 3) Visit the admittedly iffy SpamAssassin wiki. (Pointer on their
>    main page.)
> 4) Brush up on your perl regular expressions and read the wiki entry
>    on making your own rules.
> 5) Do *NOT* run anything other than 2.64 or 3.04. Earlier versions of
>    either string are either trash or subject to DoS attacks. 3.04 seems
>    to be reasonably stable. (It has a perl based problem with per user
>    rules (not per user scores) if the rules require a perl eval be run.)
>    2.64 is also stable. But it's getting old.
> // Joanne's general rules for a SMALL SpamAssassin server.
> 6) Do NOT use auto-<anything>. Turn off auto-learn. Turn off auto-
>    whitelist. They cause problems with the default settings. If you must
>    use them set the trigger scores farther apart in both directions.
> 7) Permit at least per user Bayes. Per user scores are good as well.
>    Some people consider the darndest things to be ham or spam. One
>    person's gold is another person's cow manure. Per user rules are
>    nicer yet, IFF your users are smart enough to do it right. (Loren
>    and I are. Erm, he is one of the SARE ninjas.)
> 8) As noted visit SARE and setup to use as many rule sets as seem safe
>    for your needs. (I use about 42 of them.) It saves ME having to look
>    at a new series of spam using a new trick to find a common identifying
>    feature around which a good rule can be made.
> 9) Set the BAYES_99 rule up to about 5 points once your Bayes is well
>    trained. Here it hits over 50% of all spam and 0.000% of ham. If it
>    hits I figure it is a VERY small chance it's messed up. It took a
>    year to get there.
> 10) Turn off auto-Bayes everything. Since you are not training Bayes on
>     almost every message there is no need to expire it periodically
>     either. I've never expired mine. And I find I need to train with
>     one or two low scoring spams every few days.
>     a) Setup an IMAP server on your machine that is NOT outside accessible,
>        of course. Create IMAP folders for spam and ham for each user.
>        have the users slide samples of good ham and definate spam into
>        their respective folders. Use a cron job to train on these.
>     b) I grab ham samples from various mail sorts in my OE setup. I use
>        POP3 for grabbing mail and a separate IMAP "account" the ham and
>        spam. I am particular about copying most escaped spam to the spam
>        folder. (Some has so little indentifying virtue to them I shrug
>        and let them go away. Although even the geocities.co.uk url only
>        spams are worth Bayes training.) I also look at the lowest scoring
>        spam messages and see if their Bayes score is abnormally low. If
>        it is and there's training meat present I toss them into the
>        spam training folder.
> 11) That brings us to another good idea, NEVER simply delete spam. Check
>     to see if it is a bozo friend sending you a peculiarly formatted
>     chunk of ham or if it is a customer trying to reach you from AOL.
>     (Well, same thing, really. But...) I tell spamassassin to encapsulate
>     spam in a mime layer and add something like **** SPAM **** 024.5 **
>     to the subject line. Then subject lines with **** SPAM **** in them
>     get tossed into an OE spam folder. I can sort by score nicely. And
>     that makes getting the low scores nice.
> 12) The man spamassassin page is not quite worthless if you want to do
>     something peculiar.  "man Mail::SpamAssassin" is better if you want
>     details.
> 13) You MUST have a trusted mail server somewhere in your chain. It may
>     simply be your own or it may be your ISPs if you use fetchmail as I
>     do. Trusted in this context *ONLY* means that the server can be
>     trusted far enough to NOT forge any addresses itself. So that is the
>     place the DNS based rules can start from.
> 14) SURBL (Jeff) and URIBL (Chris) are good guys. Watch the scores on
>     other BLs you may use. Some are overly enthusiastic and catch some
>     rather significant chunks of ham in their nets. I generally make sure
>     they score LOW.
> 15) About the only useful "SPF" is a message that violates an existing
>     SPF record. I give that a slight score.
> 16) The various "habeas" sort of things are not generally worth anything.
>     The mad Russian sometimes forges them just for the grins and giggles
>     of it. (He is also a very smart critter who plays manipulative tricks
>     with his DNS servers that are beyond most people. It took me quite
>     awhile of patient explanation to understand one of them.)
> 17) <well, that's enough for now. Just how dedicated to this do you want
>     to be. If you're normal, which I'm not, I've gone past reality for
>     you already. {^_-} But I will note that I had zero real ham marked
>     as spam so far today and zero escaped spam. I did have two messages
>     that were ham marked as spam because they contained very VERY spammy
>     bodies. A coorespodent and I were discussing the mad Russian's tricks.
>     And I don't have him whitelisted yet. I've been lazy and remiss. I
>     pay for it with extra work recovering his emails from my spam folder.>
----
of course this has nothing to do with his issue of being Joe Jobbed but
is entertaining nevertheless.

Craig