[Mimedefang] Have I mentioned that MIMEDefang is great?

Michael Sims michaels at crye-leike.com
Sat Jun 7 14:32:01 EDT 2003 

Time for a little advocacy here.

Over the past couple of days I've received several spam reports from my end
users which contain messages that came directly from Hotmail relays.  Each
message had slipped under SpamAssassin's radar, with scores ranging from
1.7 - 4.5 or so.  I did some investigating, and with the help of a very
knowledgeable fellow on the SPAM-L mailing list I determined that these
spams always came from a certain subset of hotmail relays, and each message
had at least ONE of the following characteristics:

(1) The X-Originating-Email header and envelope sender contained a different
email address than that of the From header.
(2) The message headers contained 2 X-Originating-IP headers.
(3) One of the X-Originating-IP headers had "IP" spelled as "Ip"
(4) One of the X-Originating-IP headers had an IP that was clearly forged
(octets with leading zeros or not in 0-255 range)

I have a sub in my mimedefang-filter called my_spam_assassin_check() which
is a wrapper around spam_assassin_check().  I call this from filter_end()
and it allows me to run some custom tests from MIMEDefang and alter the
SpamAssassin score.  I added some code to check for the above
characteristics and to copy any message that had one of them to a specific
shared IMAP folder.  I watched this folder for about a day and noticed that
it was all absolute junk.  Even better, it was stuff that SpamAssassin was
letting through.  So I modified my sub to score these as new SpamAssassin
tests.  The relevant code is at the bottom of this email.

So, once again I am completely amazed at how flexible MIMEDefang is.  Is
there a single filtering solution out there that would let you run such a
specific set of tests on every email that comes into your system?  The only
other one I can think of is CanIT. :-)

David, I know you're probably sick of hearing it, but I want to thank you
once again for making the job of fighting spam little bit easier and a LOT
more fun...

Here's the code in question (only relevant bits shown, full code available
on request):

-----CUT-----
sub my_spam_assassin_check(;$) {

  # First run the message through SpamAssassin
  my($hits, $req, $names, $report) = spam_assassin_check(@_);
  my @names = split(',' => $names);

  # Run custom checks

  ...

  # MD_CUSTOM_HOTMAIL_DAV_SPAM, score 3.5
  # MD_CUSTOM_HOTMAIL_DOUBLE_ORIG_IP, score 1
  # MD_CUSTOM_HOTMAIL_FORGED_ORIG_IP_1, score 3
  # MD_CUSTOM_HOTMAIL_FORGED_ORIG_IP_2, score 4
  if ($RelayHostname =~ /bay[3-5]-dav.*?\.bay[3-5]\.hotmail\.com/i) {

    # If the message came from a hotmail relay, see if the email address
    # in the X-Originating-Email header differs from that in the From
    # header.  This is a strong indication of spam...

    my ($hotmailOrigEmail, $fromHeader, $origIpCount);
    my ($doubleOrigIp, $forgedOrigIp_1, $forgedOrigIp_2);

    open(HEADERS, "<./HEADERS");
    while (<HEADERS>) {
      chomp;
      if (/^X-Originating-(IP):\s*\[(.*?)\]/i) {

        my ($ipPart, $ipAddr) = ($1, $2);

        # Set $doubleOrigIp only if we've seen this header before
        $origIpCount++ && $doubleOrigIp++;

        # MSN/Hotmail's "IP" is all caps, not "ip", "iP", or "Ip"
        $forgedOrigIp_1 = 1 if ($ipPart ne 'IP');

        # Check to see if any of the octets has a leading zero or
        # doesn't fall in the 0-255 range
        my @octets = split(/\./, $ipAddr);
        foreach (@octets) {
          $forgedOrigIp_2 = 1 if (/^0/ || $_ < 0 || $_ > 255);
        }

      } elsif (/^X-Originating-Email:\s*\[(.*?)\]/) {
        $hotmailOrigEmail = $1;
      } elsif (/^From:\s*.*?<?([^\@\s]+\@[^>\s]+)>?\s*/) {
        $fromHeader = $1;
      }
    }
    close(HEADERS);

    # It seems that email.msn.com and msn.com are aliases for each
    # other.
    $hotmailOrigEmail =~ s/\@email\.msn\.com/\@msn.com/;
    $fromHeader =~ s/\@email\.msn\.com/\@msn.com/;

    if (defined $hotmailOrigEmail && defined $fromHeader
        && lc $hotmailOrigEmail ne lc $fromHeader) {

      $hits += 3.5;
      push(@names, 'MD_CUSTOM_HOTMAIL_DAV_SPAM');

    }

    if ($doubleOrigIp) {
      $hits += 1;
      push(@names, 'MD_CUSTOM_HOTMAIL_DOUBLE_ORIG_IP');
    }

    if ($forgedOrigIp_1) {
      $hits += 3;
      push(@names, 'MD_CUSTOM_HOTMAIL_FORGED_ORIG_IP_1');
    }

    if ($forgedOrigIp_2) {
      $hits += 4;
      push(@names, 'MD_CUSTOM_HOTMAIL_FORGED_ORIG_IP_2');
    }

  }

  ...

  $names = join(',' => @names);
  return ($hits, $req, $names, $report);

}
-----CUT-----

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

More information about the MIMEDefang mailing list