SPAM problems : reject by X-Mailer?

Discussion:

Rory Campbell-Lange

2004-01-12 11:09:30 UTC

I am using exim4 and exiscan.

I have seen a large increase in emails with subjects like "annoy idea
handsome" and bodies such as "peace euphorbia lillian scout b centerline
cleat scapular citron pacify centigrade icicle eh imperate cupid
fireplace gentlemen cocaine". Presumably the sender is trying to
generate a response?

Many of these spam senders have the following X-Mailer listed:
X-Mailer: mPOP Web-Mail 2.19

Is this possible to generate an SMTP-time rejection of a message based
on its X-Mailer? Is this sensible?

Thanks,
Rory

--
Rory Campbell-Lange
<***@campbell-lange.net>
<www.campbell-lange.net>

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Alan J. Flavell

2004-01-12 12:46:09 UTC

Permalink

Post by Rory Campbell-Lange
I have seen a large increase in emails with subjects like "annoy idea
handsome" and bodies such as "peace euphorbia lillian scout b centerline
cleat scapular citron pacify centigrade icicle eh imperate cupid
fireplace gentlemen cocaine". Presumably the sender is trying to
generate a response?

At the core of these messages is a spam link:

<a href="..."><img border="0" src="..."></a>

Presumably the sender is trying to obfuscate the message sufficiently
to get past content-recognition filters.

Post by Rory Campbell-Lange
X-Mailer: mPOP Web-Mail 2.19

So they do: if I try that on the contents of my spam-bucket, I get
quite a number of matches since mid-December, although I also got
several which didn't have that particular X-Mailer.

I don't see any matches for that X-Mailer in my own personal good
mail, though I can't speak for all of our users...

However, all of the samples that I've got in my spam-bucket have been
forwarded from my account at another site, which suggests that if any
of them are being offered to us directly then we're rejecting them on
other grounds (probably DNSRBLed MTA IPs). Some of them can also be
rejected by callbacks on their faked envelope sender addresses (pace
the usual critics of that procedure).

Looking at the matches that I got, I'd say about half of them have so
low a spamassassin score (<4) that no reasonable amount of boost on
the X-Mailer alone would take them up to our rejection level (>8).
The other half had scored around 7, and an extra point or so for the
X-Mailer would have taken them over the limit.

Post by Rory Campbell-Lange
Is this possible to generate an SMTP-time rejection of a message based
on its X-Mailer? Is this sensible?

It might be worth some points in the spam-rating, but it would be
premature to use it as a basis for outright rejection, I feel. Based
on the arguments I present above, I'd say there are more effective
ways of keeping these at bay (but those ways are weakened when the
mail has been accepted by some forwarding MTA).

cheers

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Glenn Carver

2004-01-13 12:15:31 UTC

Permalink

I've also been getting a lot of spam mail like this, which gets past
spamassassin.

I've since starting using DCC (http://www.dcc-servers.net/dcc/) as a
second pass after spamassassin and it's been successful at getting
rid of these spam messages. Not a particularly lightweight piece of
software but with DNSBL, spamasssassin and DCC, our spam intake is
now virtually zero.

I would caution against blocking on a Mailer.

Cheers,
Glenn

Post by Alan J. Flavell

<a href="..."><img border="0" src="..."></a>
Presumably the sender is trying to obfuscate the message sufficiently
to get past content-recognition filters.

Post by Rory Campbell-Lange
X-Mailer: mPOP Web-Mail 2.19

So they do: if I try that on the contents of my spam-bucket, I get
quite a number of matches since mid-December, although I also got
several which didn't have that particular X-Mailer.
I don't see any matches for that X-Mailer in my own personal good
mail, though I can't speak for all of our users...
However, all of the samples that I've got in my spam-bucket have been
forwarded from my account at another site, which suggests that if any
of them are being offered to us directly then we're rejecting them on
other grounds (probably DNSRBLed MTA IPs). Some of them can also be
rejected by callbacks on their faked envelope sender addresses (pace
the usual critics of that procedure).
Looking at the matches that I got, I'd say about half of them have so
low a spamassassin score (<4) that no reasonable amount of boost on
the X-Mailer alone would take them up to our rejection level (>8).
The other half had scored around 7, and an extra point or so for the
X-Mailer would have taken them over the limit.

Post by Rory Campbell-Lange
Is this possible to generate an SMTP-time rejection of a message based
on its X-Mailer? Is this sensible?

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Rory Campbell-Lange

2004-01-13 12:43:20 UTC

Permalink

Hi Glenn, thanks for the info.

How do you integrate dcc into exim? Can it play with exiscan?

Thanks,
Rory

Post by Glenn Carver
I've also been getting a lot of spam mail like this, which gets past
spamassassin.
I've since starting using DCC (http://www.dcc-servers.net/dcc/) as a
second pass after spamassassin and it's been successful at getting
rid of these spam messages. Not a particularly lightweight piece of
software but with DNSBL, spamasssassin and DCC, our spam intake is
now virtually zero.
I would caution against blocking on a Mailer.

--
Rory Campbell-Lange
<***@campbell-lange.net>
<www.campbell-lange.net>

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Chris Edwards

2004-01-13 13:04:48 UTC

Permalink

|
| How do you integrate dcc into exim? Can it play with exiscan?
|

In effect, "yes" - SpamAssassin supports dcc.

--
Chris Edwards, Glasgow University Computing Service

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Glenn Carver

2004-01-13 13:09:49 UTC

Permalink

Post by Rory Campbell-Lange
Hi Glenn, thanks for the info.
How do you integrate dcc into exim? Can it play with exiscan?

I don't use exiscan myself so I'm not sure.

I tried configuring spamassassin to use DCC first, which you are
supposed to be able to do, but it wasn't very reliable. For reasons I
couldn't track down, sometimes SA would manage to talk to the DCC
servers but most of the time it wouldn't. It seemed to be a problem
of spamd talking the right way to dccproc.

In the end I added another router to exim so that it first routes
through SA, then it routes through DCC, which works every time. This
means each message might go through exim 3 times if it's checking for
spam but I have a whitelist set up so that only senders I don't trust
go through SA and DCC. The messages are scored by SA and DCC and
then my exim filter file decides whether to reject them or not.

One slight headache is that DCC needs it's own whitelists and if
you're running SA which also might need whitelists this is alot of
maintenance. So I've added whitelisting at the router stage of exim
so that SA & DCC only run if senders don't match. This isn't perfect
as I'd like to check sending host rather than sender address but I've
not figured out how to do that yet in the router!

If you were using SA within exiscan then that would remove one pass
through exim.

I can send you the config/filter file details if you're interested.

Glenn

p.s. I only get the exim-users digest, so apologies if my reply was delayed.

Post by Rory Campbell-Lange
Thanks,
Rory

--
Rory Campbell-Lange
<www.campbell-lange.net>

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Odhiambo G. Washington

2004-01-13 13:50:41 UTC

Permalink

Post by Rory Campbell-Lange
Hi Glenn, thanks for the info.
How do you integrate dcc into exim? Can it play with exiscan?

Spamassassin will use DCC if it finds it installed.
So if you are willing and has the resources for the network queries, you
simply install DCC the right way and SA will use it.

cheers
- wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) |
<wash at wananchi dot com> . 1ere Etage, Loita Hse, Loita St., |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
--from a /. post
--
[ Content of type application/x-pkcs7-signature deleted ]

Kevin Reed

2004-01-13 15:26:52 UTC

Permalink

For what it is worth...

warn log_message = MPOPWEBMAIL $sender_host_address
message = MPOP Webmail Spam Header Detected.\n \
If you have questions please contact postmaster@$qualify_domain
condition = ${if match {$header_x-mailer:}{mPOP Web-Mail 2.19}{yes}{no}}
condition = ${if match {$header_x-originating-ip:}{IP\]}{yes}{no}}

I've been tracking this for several days now and after 4 days, have seen
no false positives with this but a ton of catches...

Each of the spams that had the mPOP Web-Mail 2.19 in the X-Mailer header,
also has an X-Originating-IP: [{something}IP] in them too. Note the IP at
the end is the letters IP.

You could turn this into a deny or make a special header to trap on or
make an SA rule out of it instead.

I've had a ton of this pointed at the postmaster account ... but it no
longer gets there ...

I'm using a deny on my own servers and a SA rule catch on my large work
servers.

Happy hunting...

--
Kevin W. Reed - TNET Services, Inc.
Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Jethro R Binks

2004-01-13 16:10:06 UTC

Permalink

Post by Kevin Reed
warn log_message = MPOPWEBMAIL $sender_host_address
message = MPOP Webmail Spam Header Detected.\n \
condition = ${if match {$header_x-mailer:}{mPOP Web-Mail 2.19}{yes}{no}}
condition = ${if match {$header_x-originating-ip:}{IP\]}{yes}{no}}
I've been tracking this for several days now and after 4 days, have seen
no false positives with this but a ton of catches...
Each of the spams that had the mPOP Web-Mail 2.19 in the X-Mailer header,
also has an X-Originating-IP: [{something}IP] in them too. Note the IP at
the end is the letters IP.

I have an example of one that doesn't have that pattern in the
X-Originating-IP: header, but nevertheless, I think this is a good call,
and am using it as the basis of an SA rule.

Received: from dhcp024-160-219-069.ma.rr.com ([24.160.219.69]:4032)
by kojak.cc.strath.ac.uk with smtp (Exim 4.22 #2)
id 1AgN8Z-000FpA-7S
for <***@strath.ac.uk>; Tue, 13 Jan 2004 11:55:11 +0000
Received: from [24.160.219.69] by 248.24.226.220 with HTTP;
Mon, 12 Jan 2004 21:50:33 -0200
From: "Peters Hazel" <***@el-nacional.com >
To: ***@strath.ac.uk
Subject: Re: QA, stirring her heart
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [169.248.197.108]
Date: Tue, 13 Jan 2004 00:55:33 +0100
Reply-To: "Hazel Peters" <***@el-nacional.com >
[...]

Jethro.

Post by Kevin Reed
You could turn this into a deny or make a special header to trap on or
make an SA rule out of it instead.
I've had a ton of this pointed at the postmaster account ... but it no
longer gets there ...
I'm using a deny on my own servers and a SA rule catch on my large work
servers.
Happy hunting...
--
Kevin W. Reed - TNET Services, Inc.
Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Avleen Vig

2004-01-12 11:37:51 UTC

Permalink

Post by Rory Campbell-Lange
X-Mailer: mPOP Web-Mail 2.19

I've seen a lot of these too. The answer I believe is "yes you can".

deny message = "You are a spammer. Please 2 b going away now."
condition = ${if match {$header_x-mailer:}{mPOP Web-Mail 2.19}}

I think that should work. Someone will have to check it though.
I've seen a ton of mail from this x-mailer too.

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Dr Andrew C Aitchison

2004-01-12 14:27:38 UTC

Permalink

Post by Rory Campbell-Lange
I am using exim4 and exiscan.
I have seen a large increase in emails with subjects like "annoy idea
handsome" and bodies such as "peace euphorbia lillian scout b centerline
cleat scapular citron pacify centigrade icicle eh imperate cupid
fireplace gentlemen cocaine". Presumably the sender is trying to
generate a response?
X-Mailer: mPOP Web-Mail 2.19
Is this possible to generate an SMTP-time rejection of a message based
on its X-Mailer? Is this sensible?

Looking through my archived mail folders, I have 16 messages from
***@securityfocus.com
with that signature. On a brief inspection these aren't spam.
The other 95 messages I have with that signature have been marked
as spam, either by spam-assassin or by me.

--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
***@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Jethro R Binks

2004-01-12 14:40:33 UTC

Permalink

[...]

Post by Dr Andrew C Aitchison

Post by Rory Campbell-Lange
X-Mailer: mPOP Web-Mail 2.19
Is this possible to generate an SMTP-time rejection of a message based
on its X-Mailer? Is this sensible?

Looking through my archived mail folders, I have 16 messages from
with that signature. On a brief inspection these aren't spam.
The other 95 messages I have with that signature have been marked
as spam, either by spam-assassin or by me.

I'd agree with this assessment, and that of others, from my own
observations of this one over recent weeks (I have my mail client display
X-Mailer: headers by default). It seems that currently, this X-Mailer
header is fairly indicative of spam, but not exclusively so. Probably
adding some points in SpamAssassin is the way to go - it might help a bit.

Another way I check 'suspicious' X-Mailer: headers is to simply do a
google search on "X-Mailer: whatever". You'll often soon find if it is
likely to appear in a legit message, or of course if it has been discussed
before in spam-discussion environments.

I have other lists of X-Mailer headers that are definitely either bogus or
greatly suspicious/known spamware. I currently have Exim reject on seeing
these in the DATA acl; however there have been false positives from time
to time so I've commented one or two out of the list again when these have
been mentioned. I occasionally come across other lists - the one I use
(which probably came from a comment on this list originally) is probably
fairly conservative.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Rory Campbell-Lange

2004-01-13 12:47:54 UTC

Permalink

So NOT a good idea to block against this Mailer, then. I've gone with
adding 2 points to the spam score of mail coming through with this
Mailer.

Thanks for the note, Andrew.

Rory

Post by Dr Andrew C Aitchison

Post by Rory Campbell-Lange
X-Mailer: mPOP Web-Mail 2.19
Is this possible to generate an SMTP-time rejection of a message based
on its X-Mailer? Is this sensible?

--
Rory Campbell-Lange
<***@campbell-lange.net>
<www.campbell-lange.net>

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Steve Lamb

2004-01-13 16:59:14 UTC

Permalink

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--

Post by Rory Campbell-Lange
So NOT a good idea to block against this Mailer, then. I've gone with
adding 2 points to the spam score of mail coming through with this
Mailer.

Quite so. Remember that for a while TheBat! was spoofed as a spam
client. For about 2 years anyone blocking just on X-Mailer would have nailed
me and about 3 dozen other people I conversed with on a regular basis.
X-Mailer is a program generated line and is inheriently untrustworthy.
Blocking on untrustworthy data is a bad idea. Scoring on it is a much better
route.

--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
--
Content-Description: OpenPGP digital signature

[ signature.asc of type application/pgp-signature deleted ]

Vincent Lefevre

2004-01-13 20:55:37 UTC

Permalink

What about mPOP Web-Mail? Does anyone know if it is spoofed or is it a
web-mail server that is often misconfigured or some software that makes
sending spam easy or something else?

BTW, I found some "spam by mail client" stats with Google:
http://www.visi.com/~drow/spam/ (but perhaps not up-to-date).
But I couldn't find any official web page for this mailer.

Blocking on untrustworthy data is a bad idea. Scoring on it is a
much better route.

For the moment, I reject this if both X-Mailer contains "mPOP Web-Mail"
and there is a "Content-Type: multipart/alternative" header. People
should use text/plain anyway. :)

--
Vincent Lefèvre <***@vinc17.org> - Web: <http://www.vinc17.org/> - 100%
validated (X)HTML - Acorn Risc PC, Yellow Pig 17, Championnat International
des Jeux Mathématiques et Logiques, TETRHEX, etc.
Work: CR INRIA - computer arithmetic / SPACES project at LORIA

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Bradford Carpenter

2004-01-12 17:32:22 UTC

Permalink

On 2004-01-12 03:09:30 -0800 Rory Campbell-Lange

Post by Rory Campbell-Lange
I am using exim4 and exiscan.
I have seen a large increase in emails with subjects like "annoy idea
handsome" and bodies such as "peace euphorbia lillian scout b
centerline
cleat scapular citron pacify centigrade icicle eh imperate cupid
fireplace gentlemen cocaine". Presumably the sender is trying to
generate a response?
X-Mailer: mPOP Web-Mail 2.19
Is this possible to generate an SMTP-time rejection of a message based
on its X-Mailer? Is this sensible?

I've been getting many of these messages recently as well. Hadn't
noticed the X-Mailer.

These mails have a few other distinctive features as well. One is the
structure of the subject line:

Subject: Re: QCQCWLZ, the procurator began
Subject: Re: RPJBIMP, i
don't even
Subject: Re: IFOYTBHE, throwing a wave
Subject: Re: NMRFNK,
dressinggown a completely
Subject: Re: WXMQDEQ, of haze
before
Subject: Re: UTSPZNR, asphalt path under

or occasionally

Subject: Re: %RND_UC_CHAR[2-8], then the slain

You could add a condition like

condition = ${if or{ \

{match{$header_subject:}{\N(?s)[Rr][Ee]\:\s*([A-Z]{2,8})\,(\s+[a-z]+){3}\N}}
\
{match{$header_subject:}{\N^(?s).*\%RND_UC_CHAR\N}} \

} {yes} {no}}

to your deny block in addition to your X-Mailer check to increase
confidence that you're actually rejecting spam. Or add something
similar to SpamAssassin if you're going that route.

Also these multipart mails contain a plain text part that contains
only a list of random words. Haven't come up with a reasonable test
for this yet, but Tom Kistner, the author of exiscan, is apparently
working on a acl_smtp_mime addition that will make this easier.

Best Regards,
Brad

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Miham KEREKES

2004-01-12 17:43:09 UTC

Permalink

Post by Bradford Carpenter
These mails have a few other distinctive features as well. One is the

[ C U T O U T S O M E T E X T ]

Post by Bradford Carpenter
Subject: Re: RPJBIMP, i
don't even

[ C U T O U T S O M E T E X T ]

Post by Bradford Carpenter
You could add a condition like
condition = ${if or{ \
{match{$header_subject:}{\N(?s)[Rr][Ee]\:\s*([A-Z]{2,8})\,(\s+[a-z]+){3}\N}} \

^^^^^^
Missing the ' (look at above, "i don't even")

Post by Bradford Carpenter
{match{$header_subject:}{\N^(?s).*\%RND_UC_CHAR\N}} \
} {yes} {no}}

Otherwise, seems to be ok to me. :-)

Miham.
--
*************************************************************
* Miham KEREKES * Szegedi Tudományegyetem Egyetemi Könyvtár *
*****************[ ***@bibl.u-szeged.hu ]******************
* Aki mindig a sátor tetején van, annak a sátoraljaújhely.. *

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Dennis Davis

2004-01-13 13:15:59 UTC

Permalink

Subject: Re: [Exim] SPAM problems : reject by X-Mailer?
Date: Tue, 13 Jan 2004 13:04:48 +0000 (GMT)
|
| How do you integrate dcc into exim? Can it play with exiscan?
|
In effect, "yes" - SpamAssassin supports dcc.

I suspect this is the way most people use dcc. However:

http://www.rhyolite.com/anti-spam/dcc/FAQ.html#exim

also points to:

http://www.rhyolite.com/pipermail/dcc/2002/000203.html

and:

http://www.rhyolite.com/pipermail/dcc/2002/000254.html

for what looks like stand-alone use.

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

Chris Edwards

2004-01-13 14:12:17 UTC

Permalink

| http://www.rhyolite.com/anti-spam/dcc/FAQ.html#exim
|
| also points to:
|
| http://www.rhyolite.com/pipermail/dcc/2002/000203.html
|
| and:
|
| http://www.rhyolite.com/pipermail/dcc/2002/000254.html
|
| for what looks like stand-alone use.

Right - that's delivering it to a pipe or transport filter. Fine - if
you're happy to accept the spam in the first place.

OTOH, exiscan+SpamAssassin lets you reject during the dialog.

As has been refered to in another message, with DCC you are _supposed_ to
whitelist all your mailing lists. IF you do this, THEN it is safe to
blackhole stuff. However, as I understand it, many folk are too lazy to
do this, and cheat by calling DCC from SpamAssassin to award points
instead. With this approach you need some way to handle false positives,
which means either tagging, or, rejecting during the dialog.

--
Chris Edwards, Glasgow University Computing Service

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##