FAQ: Asian spam

Boris 'pi' Piwinger 3.14 at logic.univie.ac.at
Fri Mar 28 10:10:24 CET 2003


"Boris 'pi' Piwinger" <3.14 at logic.univie.ac.at> wrote:

>> ## Silently drop all completely unreadable spam
>> :0
>> * 1^0 ^\/Subject:.*=\?(.*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987|windows-1251|windows-1256)\?
>> * 1^0 ^Content-Type:.*charset="?(.*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987|windows-1251|windows-1256)
>> /dev/null
>
>This fails on multipart, but the fix is too risky I think.

Tony L. Svanstrom <tony at svanstrom.com> could not post to a
list. But he has some recipe that works. Here it is (remove
quotes):

>:0
>* ^Content-Type:[  ]*multipart/.*;[  ]*boundary="\/[^"]+
>        {
>        :0B
>        * $ ^--$\MATCH^Content-Type:[  ]*multipart/.*;^?[  ]*boundary=\"\/.+[^\"]
>                {  }
>        :0Bfw
>        * $ ^--$\MATCH^Content-Type:.*^?[  ]*charset[=:\"]*(CharsetA|CharsetB|CharsetEtc)
>                | formail -A "x-svanstrom.com: Blacklisted: Charset in MIME!"
>        }

pi


Return-Path: <>
Delivered-To: root at osagesoftware.com
Received: by osagesoftware.com (Postfix) via BOUNCE
	id 8ED9627ECE; Fri, 28 Mar 2003 04:20:29 -0500 (EST)
Date: Fri, 28 Mar 2003 04:20:29 -0500 (EST)
From: MAILER-DAEMON at osagesoftware.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: root at osagesoftware.com
MIME-Version: 1.0
Content-Type: multipart/report; report-typeÞlivery-status;
	boundary="6A73727ECB.1048843229/osagesoftware.com"
Message-Id: <20030328092029.8ED9627ECE at osagesoftware.com>

This is a MIME-encapsulated message.

--6A73727ECB.1048843229/osagesoftware.com
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host osagesoftware.com.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

			The Postfix program

<admin at nic.osagesoftware.com>: mail for nic.osagesoftware.com loops back to
    myself

--6A73727ECB.1048843229/osagesoftware.com
Content-Description: Delivery error report
Content-Type: message/delivery-status

Reporting-MTA: dns; osagesoftware.com
Arrival-Date: Fri, 28 Mar 2003 04:20:18 -0500 (EST)

Final-Recipient: rfc822; admin at nic.osagesoftware.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; mail for nic.osagesoftware.com loops back to myself

--6A73727ECB.1048843229/osagesoftware.com
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from osage.osagesoftware.com (osage.osagesoftware.com [192.168.1.10])
	by osagesoftware.com (Postfix) with ESMTP id 6A73727ECB
	for <admin at nic.osagesoftware.com>; Fri, 28 Mar 2003 04:20:18 -0500 (EST)
Received: by osage.osagesoftware.com (Postfix, from userid 0)
	id 9DB9114495; Fri, 28 Mar 2003 04:20:14 -0500 (EST)
From: root at osagesoftware.com (Cron Daemon)
To: admin at nic.osagesoftware.com
Subject: Cron <root at osage> nice -n 18 run-parts /etc/cron.daily
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin>
X-Cron-Env: <MAILTO­min at nic.osagesoftware.com>
X-Cron-Env: <MAIL_USER­min at nic.osagesoftware.com>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
Message-Id: <20030328092014.9DB9114495 at osage.osagesoftware.com>
Date: Fri, 28 Mar 2003 04:20:14 -0500 (EST)

/etc/cron.daily/logcheck: line 3: /usr/bin/logcheck.sh: No such file or directory
/etc/cron.daily/logcheck: line 3: exec: /usr/bin/logcheck.sh: cannot execute: No such file or directory
run-parts: /etc/cron.daily/logcheck exited with return code 126
bzcat: Can't open input file ./newaliases.1.bz2: No such file or directory.
bzcat: Can't open input file ./mailq.1.bz2: No such file or directory.
bzcat: Can't open input file ./aliases.5.bz2: No such file or directory.
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/osage.osagesoftware.com-20030328-040640.twr


Tripwire(R) 2.3.0 Integrity Check Report

Report generated by:          root
Report created on:            Fri Mar 28 04:06:40 2003
Database last updated on:     Never

=======================================Report Summary:
=======================================
Host name:                    osage.osagesoftware.com
Host IP address:              192.168.1.10
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/osage.osagesoftware.com.twd
Command line used:            /usr/sbin/tripwire --check 

=======================================Rule Summary: 
=======================================
  Section: Unix File System

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Invariant Directories           66                0        0        0        
  Temporary directories           33                0        0        0        
  Tripwire Data Files             100               0        0        0        
  Critical devices                100               0        0        0        
* User binaries                   66                13       0        5        
  Tripwire Binaries               100               0        0        0        
* Libraries                       66                0        0        13       
  File System and Disk Administraton Programs
                                  100               0        0        0        
  Kernel Administration Programs  100               0        0        0        
  Networking Programs             100               0        0        0        
  System Administration Programs  100               0        0        0        
  Hardware and Device Control Programs
                                  100               0        0        0        
  System Information Programs     100               0        0        0        
  Application Information Programs
                                  100               0        0        0        
  Shell Related Programs          100               0        0        0        
  Critical Utility Sym-Links      100               0        0        0        
  Critical system boot files      100               0        0        0        
* Critical configuration files    100               17       14       31       
* System boot changes             100               2        7        23       
  OS executables and libraries    100               0        0        0        
* Security Control                100               1        0        5        
  Login Scripts                   100               0        0        0        
  Operating System Utilities      100               0        0        0        
  Shell Binaries                  100               0        0        0        
* Root config files               100               4        1        4        

Total objects scanned:  12946
Total violations found:  140

=======================================Object Summary: 
=======================================
# Section: Unix File System

Rule Name: Libraries (/usr/lib)
Severity Level: 66

Modified:
"/usr/lib"
"/usr/lib/libefence.so.0"
"/usr/lib/libefence.so.0.0"

Rule Name: User binaries (/usr/bin)
Severity Level: 66

Added:
"/usr/bin/db_dump"
"/usr/bin/db_printlog"
"/usr/bin/db_load"
"/usr/bin/berkeley_db_svc"
"/usr/bin/db_archive"
"/usr/bin/db_checkpoint"
"/usr/bin/db_deadlock"
"/usr/bin/db_dump185"
"/usr/bin/db_recover"
"/usr/bin/db_stat"
"/usr/bin/db_upgrade"
"/usr/bin/db_verify"

Modified:
"/usr/bin"

Rule Name: Libraries (/usr/local/lib)
Severity Level: 66

Modified:
"/usr/local/lib/valgrind"
"/usr/local/lib/valgrind/default.supp"
"/usr/local/lib/valgrind/glibc-2.1.supp"
"/usr/local/lib/valgrind/glibc-2.2.supp"
"/usr/local/lib/valgrind/libpthread.so"
"/usr/local/lib/valgrind/libpthread.so.0"
"/usr/local/lib/valgrind/valgrind.so"
"/usr/local/lib/valgrind/valgrinq.so"
"/usr/local/lib/valgrind/xfree-3.supp"
"/usr/local/lib/valgrind/xfree-4.supp"

Rule Name: User binaries (/usr/local/bin)
Severity Level: 66

Added:
"/usr/local/bin/jwhois"

Modified:
"/usr/local/bin"
"/usr/local/bin/cachegrind"
"/usr/local/bin/valgrind"
"/usr/local/bin/vg_annotate"

Rule Name: System boot changes (/var/log)
Severity Level: 100

Added:
"/var/log/security/rpm-va.today.tmp"

Removed:
"/var/log/security/chkrootkit.today"
"/var/log/security/rpm-va-config.today"
"/var/log/security/rpm-va.today"
"/var/log/httpd/ssl_scache.sem"
"/var/log/#dmesg#"
"/var/log/.#dmesg"

Modified:
"/var/log/security/chkrootkit.yesterday"
"/var/log/security/open_port.today"
"/var/log/security/open_port.yesterday"
"/var/log/security/rpm-qa.today"
"/var/log/security/rpm-qa.yesterday"
"/var/log/security/rpm-va-config.yesterday"
"/var/log/security/rpm-va.yesterday"
"/var/log/security/sgid.today"
"/var/log/security/sgid.yesterday"
"/var/log/security/suid_md5.today"
"/var/log/security/suid_md5.yesterday"
"/var/log/security/suid_root.today"
"/var/log/security/suid_root.yesterday"
"/var/log/security/unowned_group.today"
"/var/log/security/unowned_group.yesterday"
"/var/log/security/unowned_user.today"
"/var/log/security/unowned_user.yesterday"
"/var/log/security/writable.today"
"/var/log/security/writable.yesterday"

Rule Name: System boot changes (/var/lock/subsys)
Severity Level: 100

Removed:
"/var/lock/subsys/ntpd"

Modified:
"/var/lock/subsys/httpd"
"/var/lock/subsys/postfix"

Rule Name: System boot changes (/var/run)
Severity Level: 100

Added:
"/var/run/msec-security.pid"

Modified:
"/var/run/httpd-perl.pid"
"/var/run/httpd.pid"

Rule Name: Critical configuration files (/etc/sysconfig)
Severity Level: 100

Added:
"/etc/sysconfig/network-scripts/CVS"
"/etc/sysconfig/network-scripts/CVS/Root"
"/etc/sysconfig/network-scripts/CVS/Repository"
"/etc/sysconfig/network-scripts/CVS/Entries"
"/etc/sysconfig/CVS"
"/etc/sysconfig/CVS/Root"
"/etc/sysconfig/CVS/Repository"
"/etc/sysconfig/CVS/Entries"

Removed:
"/etc/sysconfig/network-scripts/drakconnect_conf.default"

Modified:
"/etc/sysconfig"
"/etc/sysconfig/network"
"/etc/sysconfig/network-scripts"
"/etc/sysconfig/network-scripts/drakconnect_conf"
"/etc/sysconfig/network-scripts/net_resolv.default"

Rule Name: Security Control (/etc/security)
Severity Level: 100

Added:
"/etc/security/msec/level.local~"

Modified:
"/etc/security/msec"
"/etc/security/msec/CVS"
"/etc/security/msec/CVS/Entries"
"/etc/security/msec/level.local"
"/etc/security/msec/security.conf"

Rule Name: Critical configuration files (/etc/crontab)
Severity Level: 100

Modified:
"/etc/crontab"

Rule Name: Critical configuration files (/etc/httpd/conf)
Severity Level: 100

Added:
"/etc/httpd/conf/ssl/server.crt.dummy"
"/etc/httpd/conf/ssl/server.key.dummy"
"/etc/httpd/conf/httpd-perl.conf.0509.1248"
"/etc/httpd/conf/httpd-perl.conf~"
"/etc/httpd/conf/nic.httpd.conf"
"/etc/httpd/conf/commonhttpd.conf~"

Removed:
"/etc/httpd/conf/bak"
"/etc/httpd/conf/bak/httpd-perl.conf-20030320-12.00.31"
"/etc/httpd/conf/bak/httpd-perl.conf-20030320-12.00.33"
"/etc/httpd/conf/bak/httpd-perl.conf-20030320-18.14.13"
"/etc/httpd/conf/bak/httpd.conf-20030320-12.00.31"
"/etc/httpd/conf/bak/httpd.conf-20030320-12.00.33"
"/etc/httpd/conf/bak/httpd.conf-20030320-18.14.13"
"/etc/httpd/conf/bak/mod_ssl.conf-20030320-18.14.13"
"/etc/httpd/conf/bak/ssl.default-vhost.conf-20030320-18.14.13"
"/etc/httpd/conf/mailman.conf"

Modified:
"/etc/httpd/conf"
"/etc/httpd/conf/addon-modules"
"/etc/httpd/conf/addon-modules/php.conf"
"/etc/httpd/conf/addon-modules/proxied_handlers.pl"
"/etc/httpd/conf/apache-mime.types"
"/etc/httpd/conf/commonhttpd.conf"
"/etc/httpd/conf/httpd-perl.conf"
"/etc/httpd/conf/httpd.conf"
"/etc/httpd/conf/magic"
"/etc/httpd/conf/magic.default"
"/etc/httpd/conf/ssl"
"/etc/httpd/conf/ssl/mod_ssl.conf"
"/etc/httpd/conf/ssl/ssl.default-vhost.conf"
"/etc/httpd/conf/vhosts"
"/etc/httpd/conf/vhosts/DynamicVhosts.conf"
"/etc/httpd/conf/vhosts/Vhosts.conf"
"/etc/httpd/conf/vhosts/VirtualHomePages.conf"

Rule Name: Critical configuration files (/etc/rc.d)
Severity Level: 100

Added:
"/etc/rc.d/rc3.d/K10ntpd"
"/etc/rc.d/rc4.d/K10ntpd"
"/etc/rc.d/rc5.d/K10ntpd"

Removed:
"/etc/rc.d/rc3.d/S55ntpd"
"/etc/rc.d/rc4.d/S55ntpd"
"/etc/rc.d/rc5.d/S55ntpd"

Modified:
"/etc/rc.d/CVS"
"/etc/rc.d/CVS/Entries"
"/etc/rc.d/rc.modules"
"/etc/rc.d/rc3.d"
"/etc/rc.d/rc4.d"
"/etc/rc.d/rc5.d"

Rule Name: Critical configuration files (/etc/modules.conf)
Severity Level: 100

Modified:
"/etc/modules.conf"

Rule Name: Critical configuration files (/etc/hosts)
Severity Level: 100

Modified:
"/etc/hosts"

Rule Name: Root config files (/root)
Severity Level: 100

Added:
"/root/bin/mfd"
"/root/bin/ufd"
"/root/bin/mfd~"
"/root/.emacs-places~"

Removed:
"/root/.xauthk0xkxc"

Modified:
"/root"
"/root/.emacs-places"
"/root/bin"

Rule Name: Root config files (/root/.gnome)
Severity Level: 100

Modified:
"/root/.gnome/gtkdiff"

=======================================Error Report: 
=======================================
No Errors

*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
run-parts: /etc/cron.daily/tripwire-check exited with return code 7

--6A73727ECB.1048843229/osagesoftware.com--



More information about the Bogofilter mailing list