Topic: Foreign Email - Spam / Virus

[Olsen]

Over the weekend, our company has had a FLOOD of emails coming in from German senders with subjects that are german.  The email is most typically virus related because all the email contains is a hyperlink to a site.  We are getting HUNDREDS of these emails.  

We reside in the USA, how can I block emails that have subject lines in German, or any other foreign languages?  

Currently, I am running ClamAV, Spamassassin, mailfront mailrules, and RBL.  

I dont know how I can filter these emails because there is no attachments, and I dont know if there is any filter that can distinguish if the content is in english or not.....

HELP?????

[CharlieBrady]

Over the weekend, our company has had a FLOOD of emails coming in from German senders with subjects that are german.  The email is most typically virus related because all the email contains is a hyperlink to a site.  We are getting HUNDREDS of these emails.

As is everyone else in the world.

Read more here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EU

[funkusmunkus]

Apparently you could place http://weblog.erenkrantz.com/~jerenk/german_spam.cf
in  /usr/share/spamassassin
and that should stop the new sober emails

worth a try

hope that helps
cheers

[CKConsulting]

funkusmunkus,

Can you explain your suggestion a bit more and did it work?  Do you add this to a file or create a file with this name.........  If this does work it could be very handy in the future to stop issues like the one that happened over the week end.

Thanks,
Rick

[funkusmunkus]

I personally don't have spamassassin installed, I don't get any spam, and at work we only use fetchmail, so again never had a need for spamassassin someone on whirlpool (an Australian forum) using FC2 said just place the file in /usr/share/spamassassin and it worked.

The link I gave you had a heading of

SpamAssassin rules for new German spam.
There appear to be a new slate of German emails on the loose that are small enough that my Bayesian program isn't doing much with them.
I've updated my SA rules for German spam with some new rules. I believe Erik provided the rule set initially.
You can fetch my current german_spam.cf rules.
I'll try to keep it updated as I see more.
Perhaps it's worth seeing if rules-du-jour has any of these yet...
Enjoy. And, boo on spammers

but I also came across this http://www.viruswatch.nl/info/soberq_filter.html
which has a rule that doesn't report false positives at all
it hasn't been tested on spamassassin but this is the rule

Code: [Select]

^Received\:\sfrom\s[a-z]{5,10}\.*\nDate\:[\s\w\,\:]{4,22}\:[0-9]{1,2}\s[A-Z]{1,4}\n


hope that helps
sorry I can't be of more help
cheers

[CKConsulting]

Thanks for the info I'll give it a shot.

Rick

[p-jones]

I have a similiar problem reversed. A vrus has entered the windows system and flooded the mailserver  with with email to a point that qmail has broken. I have manually cleaned out the local/remote and mess folders but Qmail is is still dead.

The fetchmail component has been continuing to collect the mail and depositing it ???. Likewise outward mail is also going from the client into a vapour that does not include the recipient.

I have never had this break before and I am not sure now where to go next to continue to fix / rebuild the mail system. Any pointers please

Peter

[CKConsulting]

First did you find the PC causing this issue and kill it?  Maybe you have more than one PC with the virus?  
Is you hard drive full?
You could pull it off the network to see if you can get it back up.

Just my 2 cents.
Rick

[cc_skavenger]

... I also came across this http://www.viruswatch.nl/info/soberq_filter.html
which has a rule that doesn't report false positives at all
it hasn't been tested on spamassassin but this is the rule

Code: [Select]

^Received\:\sfrom\s[a-z]{5,10}\.*\nDate\:[\s\w\,\:]{4,22}\:[0-9]{1,2}\s[A-Z]{1,4}\n


Is this put in the same spot, ie. create a file located in /usr/share/spamassassin ?

Thanks

[CKConsulting]

I tried the .sf file last night and it seems to be working well.
http://weblog.erenkrantz.com/~jerenk/german_spam.cf


I didn't try the code.

Rick

[soup]

I'd like to install this .sf file but i'm having a hard time placing the file in the spamassassin dir. (I'm a SME newbie) I located the file in my home dir, how do I move it?  

I'd appreciate it if someone can explain this to me.

Thanks,

Matt

[CKConsulting]

I use WINSCP.
http://winscp.net

and Edit pad Pro Free
http://www.editpadpro.com/

I create the files with Edit Pad Pro and then use WINSCP to place the files.  WINSCP works just like explorer for us old windoz guys.

or you can use the mv command from putty.

Rick

[filk]

I tried the .sf file last night and it seems to be working well.
http://weblog.erenkrantz.com/~jerenk/german_spam.cf


I didn't try the code.

Rick

I installed this file and it only seemed to work if it was a "body" rule.  It was skipping everything in a "header" rule.  I used the spamassassin for dummies script to install.

Is there a config somewhere that may have turned off "header" checks?

What makes this even more odd is that if I reformat the "header" rules as "body" rules, it picks it up from the Subject line.  I have the resulting .cf if anyone else is interested.

Any ideas?  Is this happening to anyone else?

[funkusmunkus]

just a correction the area you put the CF file in /etc/mail/spamassassin not /usr/share/spamassassin for more info on it check http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt

ahh cc_skavenger I really have no idea I just saw it on sans this morning http://isc.sans.org/diary.php?date=2005-05-16

[cc_skavenger]

What finally did work for my company:

Copied these spamassassin .cf rule files to the /etc/mail/spamassassin/ directory.

http://www.ccskavenger.info/sober-worm-spamassassin-rules/

Restart spamassassin with the command:  
/etc/rc.d/init.d/spamassassin restart

HTH someone else with the neo-nazi spam problem.