dnswl.org and phishing

Paul Welsh paul at welshfamily.com
Mon Nov 12 01:19:49 GMT 2012 

Hi all

Bit off-topic but thought I'd mention dnswl.org which the spamassassin
wiki describes here -
http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED - and
which describes itself as "the leading whitelist provider for email
filtering".

I was tweaking my spam.assassin.prefs.conf today and noticed
RCVD_IN_DNSWL_MED gets a -2.3 spamassassin score by default.  However,
on doing some digging I noticed this:

2012-11-10 11:01:45 1TX8or-0008Fj-1P <= service at santander.co.uk
H=p02c11o144.mxlogic.net [208.65.144.77] P=esmtps
X=TLSv1:AES256-SHA:256 S=3244
id=FS3rRZ1UbDBRArVc4Iu00000255 at fs3.ellison.local T="YOUR ONLINE
ACCOUNT HAS BEEN SUSPENDED" from <service at santander.co.uk> for <snip>

This phishing email came from mxlogic.net, now called McAfee SaaS
Email Protection & Continuity.  dnswl.org gives mxlogic.net a
classification of:
"Medium	Rare spam occurrences, corrected promptly."

Fair enough, this is doubtless one of those rare occurrences but I
just thought I'd highlight that phishing does appear to be getting
through mxlogic.net and because of dnswl.org's treatment of it,
spamassassin is subtracting nearly 3 points from its score.

In the case of the phishing mail I saw, it still got picked up as high
scoring spam and deleted but had the attempts to forge the Outlook
headers been better and/or had I given RCVD_IN_DNSWL_MED a higher
negative score (which I was seriously considering doing), this would
have been delivered:

Nov 10 11:01:50 mail MailScanner[27602]: Message 1TX8or-0008Fj-1P from
208.65.144.77 (service at santander.co.uk) to <snip> is spam,
SpamAssassin (score=10.984, required 6, autolearn=disabled,
AXB_XMAILER_MIMEOLE_OL_1ECD5 3.26, FORGED_MUA_OUTLOOK 2.79,
FORGED_OUTLOOK_HTML 0.00, FROM_MISSPACED 0.00, FROM_MISSP_EH_MATCH
0.00, FROM_MISSP_MSFT 0.00, FROM_MISSP_URI 0.00, FROM_MISSP_USER 0.00,
FSL_NEW_HELO_USER 0.00, HTML_IMAGE_ONLY_16 1.05, HTML_MESSAGE 0.00,
HTML_TAG_BALANCE_BODY 0.71, MIME_HTML_ONLY 1.10, MISSING_HEADERS 1.21,
NSL_RCVD_FROM_USER 0.00, RCVD_IN_DNSWL_MED -2.30, SUBJ_ALL_CAPS 1.62,
TVD_PH_BODY_ACCOUNTS_PRE 1.53, T_REMOTE_IMAGE 0.01)
Nov 10 11:01:50 mail MailScanner[27602]: Non-delivery of spam: message
1TX8or-0008Fj-1P from service at santander.co.uk to <snip> with subject
YOUR ONLINE ACCOUNT HAS BEEN SUSPENDED
Nov 10 11:01:50 mail MailScanner[27602]: Spam Actions: message
1TX8or-0008Fj-1P actions are delete

More information about the MailScanner mailing list