Posted on by SYSMGR

08-Sep-2022

PMAS rules updated
In order to limit the amount of spam messages that have the same visual characteristics: subject, content-type of MIME attachment is “text/html”, I checked what they have in common according PMAS. And I found there are four properties:

  • X-PMAS-BDY-IMAGE_LINK3: Web site link image is attached (5.000)
  • X-PMAS-BDY-TEENY_FONT: Message tries to hide text in teeny-tiny font (10.000)
  • X-PMAS-BDY-NONSENSE_STYLE5: Message hides text with useless <STYLE> tags (10.000)
  • X-PMAS-META-IMAGE_ATTACHED: Embedded HTML image is attached (2.000)

There are some more properties that most have in common, but not all, so to block all of the messages that contain the given properties, the others are irrelevant.
By adding this rule to the local test-file:

meta BLOCKTHESE (IMAGE_LINK3 && TEENY_FONT && NONSENSE_STYLE5 && __IMAGE_ATTACHED)
describe BLOCKTHESE This is real spam
score BLOCKTHESE 300

PMAS will close the connection when the combination of these properties is found, as is found in the logfile: where messages would have a score, based on what PMAS scanning would find, due to the combination of these properties, 300 is added to the score – causing rejection:

8-OCT-2022 18:23:53.60: RS|344.000000|em.errihani@encgsettat.ac.ma|willem@grootersnet.nl|Tonita41||VMF_NO_SMTP,__FROM_NO_AT,__HAS_X_MS_EXCHANGE,__CT,__MIME_VERSION,__SUBJ_RE_SPAM03,__RETURN_PATH01,__FROM_HERE,__TO_HERE,__DATE_HERE,__SUBJECT_HERE,__RCVD_MS,__CTYPE_HAS_BOUNDARY,__MULTIPART,__SANE_MSGID,__HAS_MSGID,__PHISHING_WU3,__PHSHCOMMBANK02,__POSTCARD06,__NOT_CNN_URI,__HTTP_URI,__NOT_IRS_URI,REPUTATION_URI_NONSPAM,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_END_BODY,__TAG_EXISTS_END_HEAD,__TAG_EXISTS_END_HTML,__BASE64_HTML,__BODY_EXISTS,__BODY_CT_HTML,__ONEPART,__ENDPART,__IMAGE_JPEG,__RAWBODY_EXISTS,__8BIT_BODY,__END_HTML_MESSAGE,IMAGE_LINK3,TEENY_FONT,__SOME_HTML_TAG,__WHITE_BG1,__WHITE_TEXT01,NONSENSE_STYLE5,__FULL_BODY_EXISTS,__IMAGE_ATTACHED,__BDATE003,__DOCTYPE_URI,__1601M01,BLOCKTHESE,RETURN_PATH,WHITE_TEXT,IMAGE_ATTACHED|
8-OCT-2022 18:26:52.37: RS|330.000000|lhoralek@zshalkova.cz|willem@grootersnet.nl|Susy||VMF_OK,__FROM_NO_AT,__HAS_X_MS_EXCHANGE,__CT,__MIME_VERSION,__SUBJ_RE_SPAM03,__RETURN_PATH01,__FROM_HERE,__TO_HERE,__DATE_HERE,__SUBJECT_HERE,__RCVD_MS,__CTYPE_HAS_BOUNDARY,__MULTIPART,__SANE_MSGID,__HAS_MSGID,__PHISHING_WU3,__PHSHCOMMBANK02,__POSTCARD06,__NOT_CNN_URI,__HTTP_URI,__NOT_IRS_URI,REPUTATION_URI_NONSPAM,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_END_BODY,__TAG_EXISTS_END_HEAD,__TAG_EXISTS_END_HTML,__BASE64_HTML,__BODY_EXISTS,__BODY_CT_HTML,__ONEPART,__ENDPART,__IMAGE_JPEG,__RAWBODY_EXISTS,__8BIT_BODY,__END_HTML_MESSAGE,IMAGE_LINK3,TEENY_FONT,__SOME_HTML_TAG,__WHITE_BG1,NONSENSE_STYLE5,__FULL_BODY_EXISTS,__IMAGE_ATTACHED,__BDATE002,__RUM017,__DOCTYPE_URI,__1601M01,BLOCKTHESE,RETURN_PATH,IMAGE_ATTACHED|
8-OCT-2022 18:34:26.28: RS|362.000000|betty@pickupflowers.com|willem@grootersnet.nl|Judie||VMF_OK,__FROM_NO_AT,__CT,__MIME_VERSION,__SUBJ_RE_SPAM03,__FROM_HERE,__TO_HERE,__DATE_HERE,__SUBJECT_HERE,__CTYPE_HAS_BOUNDARY,__MULTIPART,__SANE_MSGID,__HAS_MSGID,__PHISHING_WU3,__PHSHCOMMBANK02,__POSTCARD06,__NOT_CNN_URI,__HTTP_URI,BLIND_DATE_URI,__NOT_IRS_URI,REPUTATION_URI_NONSPAM,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_END_BODY,__TAG_EXISTS_END_H
EAD,__TAG_EXISTS_END_HTML,__BASE64_HTML,__BODY_EXISTS,__BODY_CT_HTML,__ONEPART,__ENDPART,__IMAGE_JPEG,__RAWBODY_EXISTS,__8BIT_BODY,__END_HTML_MESSAGE,IMAGE_LINK3,TEENY_FONT,__SOME_HTML_TAG,__WHITE_BG1,__WHITE_TEXT01,NONSENSE_STYLE5,__FULL_BODY_EXISTS,__IMAGE_ATTACHED,__DOCTYPE_URI,__1601M01,BLOCKTHESE,BASE64_HTML,WHITE_TEXT,IMAGE_ATTACHED|
8-OCT-2022 18:34:58.87: RS|350.000000|405968049@ms.yru.ac.th|willem@grootersnet.nl|Trudy5||VMF_OK,__FROM_NO_AT,__HAS_X_MS_EXCHANGE,__CT,__MIME_VERSION,__ID_RETURN_PATH,__SUBJ_RE_SPAM03,__RETURN_PATH01,__FROM_HERE,__TO_HERE,__DATE_HERE,__SUBJECT_HERE,__RCVD_MS,__CTYPE_HAS_BOUNDARY,__MULTIPART,__SANE_MSGID,__HAS_MSGID,__PHISHING_WU3,__PHSHCOMMBANK02,__POSTCARD06,__0704_CLICK_ME02,__NOT_CNN_URI,__HTTP_URI,__NOT_IRS_URI,REPUTATION_URI_NONSPAM,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_END_BODY,__TAG_EXISTS_END_HEAD,__TAG_EXISTS_END_HTML,__BASE64_HTML,__BODY_EXISTS,__BODY_CT_HTML,__ONEPART,__ENDPART,__IMAGE_JPEG,__RAWBODY_EXISTS,__8BIT_BODY,__END_HTML_MESSAGE,IMAGE_LINK3,TEENY_FONT,__SOME_HTML_TAG,__WHITE_BG1,NONSENSE_STYLE5,__FULL_BODY_EXISTS,__IMAGE_ATTACHED,__BDATE003,__PHOTOS,__BDATE245A,__DOCTYPE_URI,__1601M01,BLOCKTHESE,RETURN_PATH,IMAGE_ATTACHED,BLIND_DATE3|
8-OCT-2022 18:35:28.81: RS|370.000000|c.aknine@lutetia.paris|willem@grootersnet.nl|Myesha|(no msgid)|VMF_NO_ADDRESS,__FROM_NO_AT,__CT,__MIME_VERSION,__FROM_HERE,__TO_HERE,__DATE_HERE,__SUBJECT_HERE,__CTYPE_HAS_BOUNDARY,__MULTIPART,__PHISHING_WU3,__PHSHCOMMBANK02,__POSTCARD06,__NOT_CNN_URI,__HTTP_URI,BLIND_DATE_URI,__NOT_IRS_URI,REPUTATION_URI_NONSPAM,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_END_BODY,__TAG_EXISTS_END_HEAD,__TAG_EXISTS_END_HTML,__BASE64_HTML,__BODY_EXISTS,__BODY_C
T_HTML,__ONEPART,__ENDPART,__IMAGE_JPEG,__RAWBODY_EXISTS,__8BIT_BODY,__END_HTML_MESSAGE,IMAGE_LINK3,TEENY_FONT,__SOME_HTML_TAG,__WHITE_BG1,__WHITE_TEXT01,NONSENSE_STYLE5,__FULL_BODY_EXISTS,__IMAGE_ATTACHED,__DOCTYPE_URI,__1601M01,BLOCKTHESE,BASE64_HTML,WHITE_TEXT,IMAGE_ATTACHED|

I’ll have to keep an eye on this, because it could mean that otherwise valid messages are rejected as well. But given what I expect, this is unlikely to be the case.

A similar action will be taken on mail that is sent via hotmail.com – which I blocked entirely, for the same reason. For that, I’ll have to re-allow hotmail.com as a sender.