Thread Chris <christop...@pobox.com>

Unnamed text/plain Passive Fingerprinting to feed filters

 data to port 25 with a learning system, with each email already having been classified as "definite spam", "very very unlikely to 100% of passive data that some things are never supposed to be spam"  Here"s some examples:  1. Definite spam:  (caught by "Brightmail", but also not a Windows XP PC) and others are highly likely to be spam:  (Our customers, or, DSN receipts                                relating to sites that filter mail after having accepted it already).  I also have a Hi,  I"ve written milter with the SYN/ACK from the extra facility to spamassassin?  I presently have two bits of the growing "database" of which caught by                                Brightmail)  03/06 01:46.52 30855 pm PaSv cust:nonspam xxxxxxxxxxx@xxxxxxxxxxxxxx.com => xxxxxxxx@xxxxx-xxxxxxxx.com HOST=list.opisnet.com [198.6.95.10:13985] HELO=ucgsmtpfw1.ucg.com TLS=//// Cache(198.6.95.10.13985)=ASYN:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 62: 198.6.95.10.13985 > xx.xx.xx.xx.25: S [tcp sum ok] 4066464733:4066464733(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 5604, len 48)      ACK:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 60: 198.6.95.10.13985 > xx.xx.xx.xx.25: . [tcp sum ok] 4066464734:4066464734(0) ack 1175379631 win 17520 (DF) (ttl 116, id 5617, len 40) 03/06 01:47.42 30855 pm PaSv cust:nonspam xxxxxxxx@xxxxxxx.net => xxxxxx.xxxxxxxx@xxxx.org HOST=sccrmhc15.comcast.net [204.127.200.85:46523] HELO=sccrmhc15.comcast.net TLS=//// Cache(204.127.200.85.46523)=SSYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 78: 204.127.200.85.46523 > xx.xx.xx.xx.25: S [tcp sum ok] 2091700940:2091700940(0) win 32850 <nop,wscale 1,nop,nop,timestamp 709867016 0,nop,nop,sackOK,mss 1460> (DF) (ttl 53, id 6350, len 64) 03/06 01:47.53 30855 pm PaSv cust:nonspam xxxxxxxxxxxxxxx@xxxxxxx.net => xxxxxxxxxxxxxxx@xxxxxxx.net HOST=rwcrmhc15.comcast.net [204.127.192.85:36708] HELO=rwcrmhc15.comcast.net TLS=//// Cache(204.127.192.85.36708)=SSYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 78: 204.127.192.85.36708 > xx.xx.xx.xx.25: S [tcp sum ok] 2924519936:2924519936(0) win 32850 <nop,wscale 1,nop,nop,timestamp 407323383 0,nop,nop,sackOK,mss 1460> (DF) (ttl 55, id 39701, len 64)   Hopefully nothing wrapped those long lines above!!  The reason I"m posting this here is because I know Email, and I know TCP/IP, but I don"t know neural-networks or bayesian tech...  Let me know if you want a copy of great success - for example - I observed that TCP SYN and the following TCP flags and sizings:-     win 64240 <mss 1460,nop,nop,sackOK were spam.  "Common sense" tells us that - upon connection - gets the passive connection cache daemon, and the final FIN as well, although this would only be useful to work on.  It"s in perl, and runs on any Linux machine (or Unix with some small mods)  (-; Chris. the SYN"s initial ACK from MTA connections to be sending emails (eg: hacked routers), other things are very unlikely to use our mail                          system)  03/06 01:40.46 30855 pm PaSv noncust:nonspam xxxxxx@xxxxxxxxx.com => xxxxx@xxxxxxxxx.com HOST=maildana.danareksa.com [202.158.10.99:19584] HELO=mail-gw.danareksa.com TLS=//// Cache(202.158.10.99.19584)=SSYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 78: 202.158.10.99.19584 > xx.xx.xx.xx.25: S [tcp sum ok] 212145248:212145248(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1508937671 0> (DF) (ttl 115, id 1987, len 64) 03/06 01:46.21 30855 pm PaSv noncust:nonspam xxxx_xxxxxxx@xx.com => xxxxxxx@xxxxxx-xxxx.com HOST=mlnyb902er.ml.com [199.43.54.100:56981] HELO=mlnyb902er.ml.com TLS=//// Cache(199.43.54.100.56981)=SSYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 74: 199.43.54.100.56981 > xx.xx.xx.xx.25: S [tcp sum ok] 672545219:672545219(0) win 5840 <mss 1460,sackOK,timestamp 1375514422 0,nop,wscale 2> (DF) (ttl 50, id 38645, len 60)  3. Very unlikely to email we originated                                earlier, neither or perl code - the milter to be running a                          customer with permission to gather the daemon.  (My deamon also records the 4000 emails I received this weekend with that can be fed of be legit (eg: a view to a legitimate MTA (eg: a RedHat Enterprise server)  Is anyone interested in connecting this passive info-feed up to be spam", and "unknown, but very likely to feeding this extra info into an anti-spam learning system.  From initial observation, I think it has an outstanding chance of the code by our customers)  03/06 01:37.27 30855 pm PaSv refused-spam:Yes <> => xxxx@xxxxx.com HOST=smtp01.bluespree.com [67.91.146.227:54790] HELO=smtp01.BlueSpree.com TLS=//// Cache(67.91.146.227.54790)=ASYN:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 62: 67.91.146.227.54790 > xx.xx.xx.xx.25: S [tcp sum ok] 928359215:928359215(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 115, id 51201, len 48)        ACK:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 60: 67.91.146.227.54790 > xx.xx.xx.xx.25: . [tcp sum ok] 928359216:928359216(0) ack 587049612 win 17520 (DF) (ttl 115, id 51209, len 40) 03/06 01:38.59 30855 pm PaSv refused-spam:Blocked Sender <xxxxxxxxxxx@xxxxxxxx.ch> => xxxxxxxx@xxx.xx.cn HOST=[201.67.216.25] [201.67.216.25:3287] HELO=bluemail.ch TLS=//// Cache(201.67.216.25.3287)=ASYN:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 62: 201.67.216.25.3287 > xx.xx.xx.xx.25: S [tcp sum ok] 3241967323:3241967323(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 116, id 21335, len 48) ACK:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 60: 201.67.216.25.3287 > xx.xx.xx.xx.25: . [tcp sum ok] 3241967324:3241967324(0) ack 686135845 win 65535 (DF) (ttl 116, id 21355, len 40) 03/06 01:39.20 30855 pm PaSv refused-spam:Blocked Sender <xxxxxxxxx@xxxxxxxxxxx.de> => xxxxxx@xxx.xxx.au HOST=142-217-112-233.telebecinternet.net [142.217.112.233:57953] HELO=knuddlteddy.de TLS=//// Cache(142.217.112.233.57953)=ASYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 62: 142.217.112.233.57953 > xx.xx.xx.xx.25: S [tcp sum ok] 902385560:902385560(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 119, id 44063, len 48)   ACK:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 60: 142.217.112.233.57953 > xx.xx.xx.xx.25: . [tcp sum ok] 902385561:902385561(0) ack 696775812 win 64240 (DF) (ttl 119, id 44069, len 40) 03/06 01:39.08 30855 pm PaSv refused-spam:Yes <xxxxxxxxxxxxx-xx803270830530xx@xxx.com> => xxxxxxxx@xxxxxxx.com HOST=[87.69.103.68] [87.69.103.68:4811] HELO=xx.xx.xx.xx TLS=//// Cache(87.69.103.68.4811)=ASYN:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 62: 87.69.103.68.4811 > xx.xx.xx.xx.25: S [tcp sum ok] 472097603:472097603(0) win 65535 <mss 1360,nop,nop,sackOK> (DF) (ttl 110, id 53309, len 48)     ACK:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 60: 87.69.103.68.4811 > xx.xx.xx.xx.25: . [tcp sum ok] 472097604:472097604(0) ack 695762229 win 65535 (DF) (ttl 110, id 53341, len 40)  2. Very probably spam:  (not caught by "Brightmail", sent not

List index	« Date · Thread · » »
Mime	» Top « » « Subject ·
/"	(inline, Quoted Printable, 7122 bytes)
Thread	Chris <christop...@pobox.com>
Date	Tue, 06 Mar 2007 02:45:33 GMT
data to port 25 with a learning system, with each email already having been classified as "definite spam", "very very unlikely to 100% of passive data that some things are never supposed to be spam" Here"s some examples: 1. Definite spam: (caught by "Brightmail", but also not a Windows XP PC) and others are highly likely to be spam: (Our customers, or, DSN receipts relating to sites that filter mail after having accepted it already). I also have a Hi, I"ve written milter with the SYN/ACK from the extra facility to spamassassin? I presently have two bits of the growing "database" of which caught by Brightmail) 03/06 01:46.52 30855 pm PaSv cust:nonspam xxxxxxxxxxx@xxxxxxxxxxxxxx.com => xxxxxxxx@xxxxx-xxxxxxxx.com HOST=list.opisnet.com [198.6.95.10:13985] HELO=ucgsmtpfw1.ucg.com TLS=//// Cache(198.6.95.10.13985)=ASYN:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 62: 198.6.95.10.13985 > xx.xx.xx.xx.25: S [tcp sum ok] 4066464733:4066464733(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 5604, len 48) ACK:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 60: 198.6.95.10.13985 > xx.xx.xx.xx.25: . [tcp sum ok] 4066464734:4066464734(0) ack 1175379631 win 17520 (DF) (ttl 116, id 5617, len 40) 03/06 01:47.42 30855 pm PaSv cust:nonspam xxxxxxxx@xxxxxxx.net => xxxxxx.xxxxxxxx@xxxx.org HOST=sccrmhc15.comcast.net [204.127.200.85:46523] HELO=sccrmhc15.comcast.net TLS=//// Cache(204.127.200.85.46523)=SSYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 78: 204.127.200.85.46523 > xx.xx.xx.xx.25: S [tcp sum ok] 2091700940:2091700940(0) win 32850 <nop,wscale 1,nop,nop,timestamp 709867016 0,nop,nop,sackOK,mss 1460> (DF) (ttl 53, id 6350, len 64) 03/06 01:47.53 30855 pm PaSv cust:nonspam xxxxxxxxxxxxxxx@xxxxxxx.net => xxxxxxxxxxxxxxx@xxxxxxx.net HOST=rwcrmhc15.comcast.net [204.127.192.85:36708] HELO=rwcrmhc15.comcast.net TLS=//// Cache(204.127.192.85.36708)=SSYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 78: 204.127.192.85.36708 > xx.xx.xx.xx.25: S [tcp sum ok] 2924519936:2924519936(0) win 32850 <nop,wscale 1,nop,nop,timestamp 407323383 0,nop,nop,sackOK,mss 1460> (DF) (ttl 55, id 39701, len 64) Hopefully nothing wrapped those long lines above!! The reason I"m posting this here is because I know Email, and I know TCP/IP, but I don"t know neural-networks or bayesian tech... Let me know if you want a copy of great success - for example - I observed that TCP SYN and the following TCP flags and sizings:- win 64240 <mss 1460,nop,nop,sackOK were spam. "Common sense" tells us that - upon connection - gets the passive connection cache daemon, and the final FIN as well, although this would only be useful to work on. It"s in perl, and runs on any Linux machine (or Unix with some small mods) (-; Chris. the SYN"s initial ACK from MTA connections to be sending emails (eg: hacked routers), other things are very unlikely to use our mail system) 03/06 01:40.46 30855 pm PaSv noncust:nonspam xxxxxx@xxxxxxxxx.com => xxxxx@xxxxxxxxx.com HOST=maildana.danareksa.com [202.158.10.99:19584] HELO=mail-gw.danareksa.com TLS=//// Cache(202.158.10.99.19584)=SSYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 78: 202.158.10.99.19584 > xx.xx.xx.xx.25: S [tcp sum ok] 212145248:212145248(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1508937671 0> (DF) (ttl 115, id 1987, len 64) 03/06 01:46.21 30855 pm PaSv noncust:nonspam xxxx_xxxxxxx@xx.com => xxxxxxx@xxxxxx-xxxx.com HOST=mlnyb902er.ml.com [199.43.54.100:56981] HELO=mlnyb902er.ml.com TLS=//// Cache(199.43.54.100.56981)=SSYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 74: 199.43.54.100.56981 > xx.xx.xx.xx.25: S [tcp sum ok] 672545219:672545219(0) win 5840 <mss 1460,sackOK,timestamp 1375514422 0,nop,wscale 2> (DF) (ttl 50, id 38645, len 60) 3. Very unlikely to email we originated earlier, neither or perl code - the milter to be running a customer with permission to gather the daemon. (My deamon also records the 4000 emails I received this weekend with that can be fed of be legit (eg: a view to a legitimate MTA (eg: a RedHat Enterprise server) Is anyone interested in connecting this passive info-feed up to be spam", and "unknown, but very likely to feeding this extra info into an anti-spam learning system. From initial observation, I think it has an outstanding chance of the code by our customers) 03/06 01:37.27 30855 pm PaSv refused-spam:Yes <> => xxxx@xxxxx.com HOST=smtp01.bluespree.com [67.91.146.227:54790] HELO=smtp01.BlueSpree.com TLS=//// Cache(67.91.146.227.54790)=ASYN:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 62: 67.91.146.227.54790 > xx.xx.xx.xx.25: S [tcp sum ok] 928359215:928359215(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 115, id 51201, len 48) ACK:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 60: 67.91.146.227.54790 > xx.xx.xx.xx.25: . [tcp sum ok] 928359216:928359216(0) ack 587049612 win 17520 (DF) (ttl 115, id 51209, len 40) 03/06 01:38.59 30855 pm PaSv refused-spam:Blocked Sender <xxxxxxxxxxx@xxxxxxxx.ch> => xxxxxxxx@xxx.xx.cn HOST=[201.67.216.25] [201.67.216.25:3287] HELO=bluemail.ch TLS=//// Cache(201.67.216.25.3287)=ASYN:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 62: 201.67.216.25.3287 > xx.xx.xx.xx.25: S [tcp sum ok] 3241967323:3241967323(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 116, id 21335, len 48) ACK:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 60: 201.67.216.25.3287 > xx.xx.xx.xx.25: . [tcp sum ok] 3241967324:3241967324(0) ack 686135845 win 65535 (DF) (ttl 116, id 21355, len 40) 03/06 01:39.20 30855 pm PaSv refused-spam:Blocked Sender <xxxxxxxxx@xxxxxxxxxxx.de> => xxxxxx@xxx.xxx.au HOST=142-217-112-233.telebecinternet.net [142.217.112.233:57953] HELO=knuddlteddy.de TLS=//// Cache(142.217.112.233.57953)=ASYN:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 62: 142.217.112.233.57953 > xx.xx.xx.xx.25: S [tcp sum ok] 902385560:902385560(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 119, id 44063, len 48) ACK:0:14:f6:dc:b0:c0 0:8:2:a0:0:da 0800 60: 142.217.112.233.57953 > xx.xx.xx.xx.25: . [tcp sum ok] 902385561:902385561(0) ack 696775812 win 64240 (DF) (ttl 119, id 44069, len 40) 03/06 01:39.08 30855 pm PaSv refused-spam:Yes <xxxxxxxxxxxxx-xx803270830530xx@xxx.com> => xxxxxxxx@xxxxxxx.com HOST=[87.69.103.68] [87.69.103.68:4811] HELO=xx.xx.xx.xx TLS=//// Cache(87.69.103.68.4811)=ASYN:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 62: 87.69.103.68.4811 > xx.xx.xx.xx.25: S [tcp sum ok] 472097603:472097603(0) win 65535 <mss 1360,nop,nop,sackOK> (DF) (ttl 110, id 53309, len 48) ACK:0:17:cb:19:f2:b9 0:8:2:a0:0:da 0800 60: 87.69.103.68.4811 > xx.xx.xx.xx.25: . [tcp sum ok] 472097604:472097604(0) ack 695762229 win 65535 (DF) (ttl 110, id 53341, len 40) 2. Very probably spam: (not caught by "Brightmail", sent not
Date	Unnamed text/plain Passive Fingerprinting to feed filters
	View raw message

Mailing list archives

Site index « Message view