Topic: Foreign Email - Spam / Virus

[Olsen]

Over the weekend, our company has had a FLOOD of emails coming in from German senders with subjects that are german.  The email is most typically virus related because all the email contains is a hyperlink to a site.  We are getting HUNDREDS of these emails.  

We reside in the USA, how can I block emails that have subject lines in German, or any other foreign languages?  

Currently, I am running ClamAV, Spamassassin, mailfront mailrules, and RBL.  

I dont know how I can filter these emails because there is no attachments, and I dont know if there is any filter that can distinguish if the content is in english or not.....

HELP?????

[CharlieBrady]

Over the weekend, our company has had a FLOOD of emails coming in from German senders with subjects that are german.  The email is most typically virus related because all the email contains is a hyperlink to a site.  We are getting HUNDREDS of these emails.

As is everyone else in the world.

Read more here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EU

[funkusmunkus]

Apparently you could place http://weblog.erenkrantz.com/~jerenk/german_spam.cf
in  /usr/share/spamassassin
and that should stop the new sober emails

worth a try

hope that helps
cheers

[CKConsulting]

funkusmunkus,

Can you explain your suggestion a bit more and did it work?  Do you add this to a file or create a file with this name.........  If this does work it could be very handy in the future to stop issues like the one that happened over the week end.

Thanks,
Rick

[funkusmunkus]

I personally don't have spamassassin installed, I don't get any spam, and at work we only use fetchmail, so again never had a need for spamassassin someone on whirlpool (an Australian forum) using FC2 said just place the file in /usr/share/spamassassin and it worked.

The link I gave you had a heading of

SpamAssassin rules for new German spam.
There appear to be a new slate of German emails on the loose that are small enough that my Bayesian program isn't doing much with them.
I've updated my SA rules for German spam with some new rules. I believe Erik provided the rule set initially.
You can fetch my current german_spam.cf rules.
I'll try to keep it updated as I see more.
Perhaps it's worth seeing if rules-du-jour has any of these yet...
Enjoy. And, boo on spammers

but I also came across this http://www.viruswatch.nl/info/soberq_filter.html
which has a rule that doesn't report false positives at all
it hasn't been tested on spamassassin but this is the rule

Code: [Select]

^Received\:\sfrom\s[a-z]{5,10}\.*\nDate\:[\s\w\,\:]{4,22}\:[0-9]{1,2}\s[A-Z]{1,4}\n


hope that helps
sorry I can't be of more help
cheers

[CKConsulting]

Thanks for the info I'll give it a shot.

Rick

[p-jones]

I have a similiar problem reversed. A vrus has entered the windows system and flooded the mailserver  with with email to a point that qmail has broken. I have manually cleaned out the local/remote and mess folders but Qmail is is still dead.

The fetchmail component has been continuing to collect the mail and depositing it ???. Likewise outward mail is also going from the client into a vapour that does not include the recipient.

I have never had this break before and I am not sure now where to go next to continue to fix / rebuild the mail system. Any pointers please

Peter

[CKConsulting]

First did you find the PC causing this issue and kill it?  Maybe you have more than one PC with the virus?  
Is you hard drive full?
You could pull it off the network to see if you can get it back up.

Just my 2 cents.
Rick

[cc_skavenger]

... I also came across this http://www.viruswatch.nl/info/soberq_filter.html
which has a rule that doesn't report false positives at all
it hasn't been tested on spamassassin but this is the rule

Code: [Select]

^Received\:\sfrom\s[a-z]{5,10}\.*\nDate\:[\s\w\,\:]{4,22}\:[0-9]{1,2}\s[A-Z]{1,4}\n


Is this put in the same spot, ie. create a file located in /usr/share/spamassassin ?

Thanks

[CKConsulting]

I tried the .sf file last night and it seems to be working well.
http://weblog.erenkrantz.com/~jerenk/german_spam.cf


I didn't try the code.

Rick

[soup]

I'd like to install this .sf file but i'm having a hard time placing the file in the spamassassin dir. (I'm a SME newbie) I located the file in my home dir, how do I move it?  

I'd appreciate it if someone can explain this to me.

Thanks,

Matt

[CKConsulting]

I use WINSCP.
http://winscp.net

and Edit pad Pro Free
http://www.editpadpro.com/

I create the files with Edit Pad Pro and then use WINSCP to place the files.  WINSCP works just like explorer for us old windoz guys.

or you can use the mv command from putty.

Rick

[filk]

I tried the .sf file last night and it seems to be working well.
http://weblog.erenkrantz.com/~jerenk/german_spam.cf


I didn't try the code.

Rick

I installed this file and it only seemed to work if it was a "body" rule.  It was skipping everything in a "header" rule.  I used the spamassassin for dummies script to install.

Is there a config somewhere that may have turned off "header" checks?

What makes this even more odd is that if I reformat the "header" rules as "body" rules, it picks it up from the Subject line.  I have the resulting .cf if anyone else is interested.

Any ideas?  Is this happening to anyone else?

[funkusmunkus]

just a correction the area you put the CF file in /etc/mail/spamassassin not /usr/share/spamassassin for more info on it check http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt

ahh cc_skavenger I really have no idea I just saw it on sans this morning http://isc.sans.org/diary.php?date=2005-05-16

[cc_skavenger]

What finally did work for my company:

Copied these spamassassin .cf rule files to the /etc/mail/spamassassin/ directory.

http://www.ccskavenger.info/sober-worm-spamassassin-rules/

Restart spamassassin with the command:  
/etc/rc.d/init.d/spamassassin restart

HTH someone else with the neo-nazi spam problem.

[Olsen]

cc_skavenger,  

Thanks for posting those .cf files!  I have installed them into my spamassassin directory.  I will let everyone know if this has worked for our situation also.

Thanks again.

[Olsen]

Nope, that did not work......

I click on the link on each .cf file on your site and copied the text.
I then opened up a blank doc on the server and pasted the text, saved as sober-p.cf (as well as saving the rest of the files also in the same manner)
restarted spamassassin....

I just got an email with the subject:
Tuerkei in die EU

This is a typical sober email.

Any suggestions?

BTW I put the files in /etc/mail/spamassassin as directed.

[Olsen]

OK....It may have been a problem with the spamassassin restart,
I was installing a couple of other .cf files and had restarted spamassassin a couple of times.  One must have hung up because when I checked the status, it was stopped.  I started the spamd service and it SHOULD work because I saw that subject in the sober-p.cf file......

[cc_skavenger]

It is working great here.  The boss isn't cursing my name anymore....

[Olsen]

I am getting frustrated with spamd.  

I start it and it starts ok.  I check the status to make sure it is running, and it says its running.  A minute later, I check the status to make sure it is still running (because I am a little obsessive) and it says spamd stopped.  ANYONE KNOW WHY it keeps stopping?  I am not doing anything that would stop it, Is there a script that is running to stop it?  

I am running spamassassin 3.0.1-3 with an auto update script

[cc_skavenger]

I know this is a pain, but I would uninstall it and reinstall it.  I seemed to have been having a problem with older versions not completely uninstalling or being overwritten when I did an upgrade.

Just a thought...

[Olsen]

A pain...it was....

I uninstalled the perl module, spamassassin, sme-spamfilter, spamassassin tools, usa script.....

Then i installed using the script i downloaded from swerts.  

It installed fine, but when I go to check the status of spamd....it is stopped.

Pulling my hair out.....running out of ideas.

There has to be a script shutting spamd down.  When I look at the message log, there is nothing in there telling me that spamd is shutting down.

[cc_skavenger]

ok, lets try this...

Restart spamassassin and immediately do a top.  In top, press shift and the letter m to see what processes are using the most memory.  Watch this, are there any processes that are hogging memory?  

Btw, what are the specs on the system you are using?

[Olsen]

I may have figured it out.

Everytime I tried to
[me@myserver]# /etc/rc.d/init.d/spamassassin restart
Shutting down spamd:                   [ FAILED ]
Starting spamd:                        [   OK   ]

but then when I would check the status, it would say:
stopped


So I tried removing all the custom .cf files thinking maybe one of them had a bug in it or there was a problem with the script.  Sure enough, I was able to keep the spamd process running.

Weird though, I cannot use the restart command, I have to use "stop" then "start" and things work fine.

Now that I have spamd Running, it should be filtering through the German and Sober crap and getting rid of it.....but it is not.  So I think I have other problems.  

Anyone have any thoughts?

[Olsen]

I did the top....did the shift+m

I am running a backup of the server (since 10:30pm) last night.....I know, I know I shouldnt be doing all of these changes during a backup, however, The president has climbed up my butt and will remain there until I get this resolved.  

So the tapeware process and spamd are top the list along with snort, squid, and clamd.

[cc_skavenger]

There was a lot of crap stuck in the queue,in my situation; it took a little bit before it stopped coming through...

[Olsen]

Just got another....

Here is what the header is....The spam score should be higher....shouldnt it?

Received: (qmail 1507 invoked by alias); 19 May 2005 22:05:10 -0000
Delivered-To: MY EMAIL
Received: (qmail 1498 invoked from network); 19 May 2005 22:05:01 -0000
X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on server.myserver.com
Received: from rbalvie.com (user-0c6t0bs.cable.mindspring.com [24.110.129.124])
  by server.myserver.com ([xxx.xxx.x.xxx])
  with SMTP via TCP; 19 May 2005 22:05:00 -0000
From: yosefa1@juno.com
To: Recipient@myserver.com
Date: Thu, 19 May 2005 22:01:05 UTC
Subject: Tuerkei in die EU
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
MIME-Version: 1.0
Message-ID: <95bae.66da0a5425@juno.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on server.myserver.com
X-Spam-Status: No, score=3.9 required=5.0 tests=BAYES_00,DCC_CHECK,
   FORGED_JUNO_RCVD,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100 autolearn=no
   version=3.0.3
X-Spam-Level: ***

[funkusmunkus]

I think you need at least 512M ram for SA to be affective, does that meet your current specs ??
cc_skavenger  another thing to check out is this site http://www.mailscanner.info/
I'm told it works rather well

[Olsen]

We have 1GB of ram running on the machine.

It appears that Spam assassin is getting a couple of these emails because I can go into the ;junkmail folders of users and see some of these german emails, but it is still allowing alot of these emails through.  I want to find a way to reject all emails with any of those subject lines included in all of the .cf files.  OR increase the score it gives to above 10.  I currently have our SpamAss, set at 7.

I appreciate all the help given so far, as I am frustrated beyond belief.  I feel as if our server is the only one not working using these .cf files.

I have gone to SARE's site and looked at some of their .cf files and installed some too.

One strange thing is after I loaded all of cc_skavenger's .cf files, I did a spamassassin --lint  AND spamassassin --lint -D
Both came up with 121 errors.....

I dont know if that is contributing to the ineffectiveness of the scripts.

[kruhm]

@I click on the link on each .cf file on your site and copied the text.
I don't think you can just copy and paste it into a file. The word wrapping may be killing SA because it's not understanding the file.

Try creating the file, then transfering it onto the sme.

[Olsen]

I debugged the .cf files.  You are right, the word wrap was killing me!  After correcting the files, I have not gotten any german emails.  

If I get in to work tomorrow with no german emails, I will be a happy (employed) man!

[kruhm]

maybe we could get a corrected posting for the community to easily wget?

[z80]

I've been getting loads of german spam too. The funny thing is though it comes from the iinet (perth western australia) IP address of 203.59.9.138

I'll ring Iinet as I'm the closes one.

[cc_skavenger]

Sorry about that.  I have gone through the files and fixed the line wrapping issues.  These files came from several websites, so there may be duplicate rules in them. Here is a listing of the files:

http://www.ccskavenger.info/sober-worm-spamassassin-rules/german_bounce_spam.cf

http://www.ccskavenger.info/sober-worm-spamassassin-rules/german_spam.cf

http://www.ccskavenger.info/sober-worm-spamassassin-rules/sober-p.cf

http://www.ccskavenger.info/sober-worm-spamassassin-rules/sober_p.cf

or


wget http://www.ccskavenger.info/sober-worm-spamassassin-rules/german_bounce_spam.cf

wget http://www.ccskavenger.info/sober-worm-spamassassin-rules/german_spam.cf

wget http://www.ccskavenger.info/sober-worm-spamassassin-rules/sober-p.cf

wget http://www.ccskavenger.info/sober-worm-spamassassin-rules/sober_p.cf

Please let me know of any other issues.
Thanks.

[Olsen]

RE:kruhm

In order to correct cc_skavenger's files I simply had to remove the line breaks and the word wrapping.  It is important that everyone know that spamassassin will not work properly by just using the wget command to download the files into the /etc/mail/spamassassin directory.  Even when I downloaded the files that way, the text wrapping was still causing me grief.

After getting all the files, I simply used pico to remove the extra line breaks and spacing.  It is also important to know that you cannot go to the end of the line and hit <delete> or <space>.  To get the text to space properly for parsing purposes, you must go to the beginning of the line below and hit <backspace>.  This will put all of the text in each function on one line.  

I could post my cf files, but the text wrap will still cause people issues.

I have not gotten any more German Emails....WHEW!

here is a list of custom .cf files I am using:
german.cf
german-spam.cf
german_bounce_spam.cf
sober_p.cf

HOPE THIS HELPS

[cc_skavenger]

I have fixed the files.  Users can do a wget and not have any issues.

Thanks

[Olsen]

Nice work cc_skavenger.

I was looking over the files and here are some unresolved errors.

File: german_spam.cf
meta __SUB_RASSISMUS_3 (__RASSISMUSHD_1 + __RASSISMUSHD_2 + __RASSISMUSHD_3 >=
1)
**** remove the line break after "RASSISMUSHD_3 >=" *****

Other than that....NICE!!!

Thanks for hosting these files for others to use!

[Olsen]

Now user can do a wget and not have any issues.

I was writing my post at the same time you were skavenger...

Again, thanks for your hard work.

[cc_skavenger]

File: german_spam.cf
meta __SUB_RASSISMUS_3 (__RASSISMUSHD_1 + __RASSISMUSHD_2 + __RASSISMUSHD_3 >=
1)
**** remove the line break after "RASSISMUSHD_3 >=" *****

Olsen,

Is this error still there?  I don't seem to see it....

[Olsen]

The error is no longer there.  Great job!