The ROI of Info Sec is the absence of chaos, or in other words Boring is Beautiful

So I have requested Hostgator to rm -rf my VPS for a web application I created called https://mycloudwallet.com after about a year of building and trying to get it to catch on.  Basically I was attempting to be a middle man between consumers and vendors, adding value to both around transaction security and accuracy.  By having users fill out one or more forms on my site with various types of information about them and then picking a text string (called WalletID) that they could give out to vendor’s who I would verify out of band.  This would allow the vendors to check against my site as needed for the updated info behind the WalletID.  So it’s an extra layer of sanity check before shipping a package to an address, sending a targeted email, or perhaps a pwd change request.  All checks could be verified externally (at my site) to whatever the vendor’s transaction technique was (at their website), in case it was being abused.

Anyway, I enjoyed creating the site and .html form front-ended .php script to pull the user’s info from MYSQL which amounted to a poor mans API for the vendors. Even though I think it’s a good idea that will come to be in someway or another, I learned that I’m apparently not entrepreneur material. I lost much motivation after the technical stuff was minimized and I couldn’t get any real interest from ycombinator, users or vendors.  Not to mention I also found very little incentive to eventually become an accountant, employer, tax expert, and other such work that comes with starting a company.  And the biggest reason of all is that I actually enjoy my day job, as opposed to longing to be my own boss apparently I’m better off running the rat race.  Live and Learn.

The site is still active as I type this watching Broncos and Patriots January 14th 2011 but should be down soon. Here’s a screen shot of the homepage for a little taste for the curious.

HTML Source of UserFAQ

HTML Source of VendorFAQ

The concern over targeted emails from sophisticated attackers is only increasing after the Aurora attacks, not to mention the latest Google vs. China row, and RSA’s compromise. One technique the attacker’s use to make their targeted email more legitimate is to fake or spoof the email’s from address using the recipient’s own domain, so it is more likely to be opened. The constant message from security about the dangers of email can make opening a spoofed message cause much alarm for the average user, which of course is usually only evident after the message has been opened. Which is quickly followed by the usual questions, why am I getting this email Joe said he didn’t send it? It says I sent it! It’s not in my sent items, am I infected? Spoofing email addresses has a long history of being allowed by the SMTP protocol and many companies currently rely on that “feature” to deliver mail legitimately, think surveys, send this link to a friend, web page forms, mailing lists etc. So it’s not as simple as just blocking everything with an internal domain that comes from the Internet; because it’s not all bad. It’s also made more difficult in how SMTP works, where the MAIL FROM (aka. Smtp from, RFC2821, envelope from) is often is what is evaluated at the mail gateway/server level, but the user will just see the FROM (aka. RFC2822, message from).

What would help is a way for the average user to see the difference between an externally sent email from your internal domain(s) and an internally sent email from your internal domain(s) BEFORE opening it. I’ve thought of a way to do this with Outlook Client rules and would like to share that here. So if your organization, especially small businesses and SOHOs are struggling with this, give it a shot and let me know how it goes. (The screenshot’s below are from Outlook 2007)

The rule will essentially look for messages with your internal domain(s) in the message from, then look for a special line that your SMTP gateways put in the Received Headers, then if found the rule performs some action. Because if your internet facing mail servers relayed the message it had to come from outside your organization, and hence somebody musta spoofed ya’. I will explain below.

A barebones rule, just to get the idea, will look like this… (just replace @example.com with your own work’s email domain)

Here’s what it does if not obvious…

1. Search for @example.com in the sender’s FROM address (not MAIL FROM:)
2. And then look for Received: from mail1.example.com in the message headers
   (you can add other servers separated by an OR, yes the colon and spacing are important!)
3. Assign the message to the “Spoofed” category.  (I made this up, you could also delete, or move the message to a separate folder, marking the subject unfortunately does not appear to be an option with client rules)

If you don’t know what “mailserver1.example.com” is at your workplace, the best thing is to ask your IT mail admin, if that’s you and you are still clueless (we’ve all been there) you can USUALLY get that information from the DNS MX records your company publishes on the internet.   The site http://mxtoolbox.com will allow you resolve those records.  Just enter your email domain where I have scottfromsecurity.com in screenshot below.  The info under the column “hostname” will be what you want to put in your rule, there will most likely be more than one.

If you want to categorize the suspiciously spoofed message like I did (because deleting or moving it can cause its own problems with lost mail and helpdesk calls) you’ll just need to create an Outlook Category, and choose a color (Red for example).  In Outlook main window click Actions…Categorize…All Categories…New…Add text that you want the user to see when they open the email.

This will allow the message to be categorized and will show a colored bar when opened.  To make it obvious to the user BEFORE the message is opened you’ll have to have them modify their current view.  The view will then color messages that are categorized with your new “Spoofed” category.  In Main Outlook and with your Inbox selected window go to View…Current View…Customize Current View…then click Automatic Formatting… Add,  name the auto formatting rule and set font to desired color, by clicking Font button, as shown.  Then click Condition button…More Choices Tab..Categories…and check off the “Spoofed. Please be CAUTIOUS of Web LINKS contained in this email.” category.

Death by Screenshot continues with some pics on the end result of the above configuration.

And here is the opened message showing the red bar with your category message at the top, in case the user does open it. Hopefully discouraging them from clicking any links the email may contain before checking with IT.

For the IT professionals here’s more along the lines of what the a fully functional rule would look like with more than one internet facing MTA, gives it low importance, and has some notable email address exceptions (ie. the good spoofing).

Caveats:

1. This probably won’t work if your external mail relays are also your internal mail relays, ie you don’t have MS Exchange or something to handle internally sent mail separately.  All mail will be shown as spoofed, unless you use separate interfaces and DNS names.
2. Far as I know GPO’s can not be used to push out Outlook client rules/configuration; you could potentially export the rule to a .rwz file and have users import it themselves. Tools…Rules and Alerts…Options(upper right)…Export or Import Rules button…navigate to .rwz file.   So deploying the config probably won’t be possible to do automatically, screen shots and a company wide email will most likely be required for the .rwz file import, category and view creation as well.
3. Also this is a Client only rule. As Outlook warns about when you go to save it.   That simply means if your Outlook client isn’t running the rule won’t take effect.  So on Monday you will need to launch Outlook and let it process your new email to see if it matches the rule.
4. It will be a window’s user profile specific setup, so might be something to add to the workstation build process or when desktop support delivers the box to the new user, after they log in for the first time.

I’m still in the planning stages of rolling this out at my current contracting position, so as I learn the positive and negatives around this approach I’ll be sure to update this post.

I was also toying with the idea, of using different actions such as “run a script” and “custom action” but they would further complicate what’s now is pretty simple. Also my current security monitoring analyst job does not get heavily into administration so can I  leave that up to the Exchange admins out there?  If anyone thinks up a better way to do this or anything cool (like marking the subject, so the category and view setup wouldn’t be needed) using a VB script or custom action with a .dll, feel free to leave a comment and share it with the 5 other people who read this blog.

___________________________________________________________________________
PS:  Lastly if all of the above is not appealing another blogger had a simpler approach involving tagging everyone’s email signature with some consistent text string and then writing a rule to filter on that.  This technique would identify the good (whitelist), where as mine identifies the bad(blacklist), why not try both and see which one works best for you? It also just occurred to me, with his approach, you might even want to make that text string white so it’s not overly obvious when the recipient sees it.  Read about it here… http://www.countryipblocks.net/training/the-cheap-way-to-keep-spoofed-email-out-of-your-inbox/

Good luck in your SPAM fight.

So I saw an interesting link on the interwebs, it is a packet analysis challenge with promise of invitations to  summer 2011 USCC Cyber Camps training in various locations (Delaware for East Coast folks, I believe) for the winners.  I registered and hope to complete the challenge this weekend; you have 24 hrs once you get the .pcap file to answer 30 questions about evidence of intrusion in the traffic.  You can read more about it here. https://quiz-uscc.cyberquests.org and http://www.uscyberchallenge.org The contest is over May 1^st 2011.

UPDATE:  I did well enough to be invited to the Virginia camps in early August, with full tutition, room, and board paid.  An awesome opportunity that I’m looking forward to.

The SANS Incident handling steps are

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

I’m going to talk about Preparation and Identification today. See I enjoy the challenge of having a network and resources to protect.   Its funny to see how that translates into my non-work life, for example I always like RTS type games and often take a defensive posture by default.  Called turtling in the gaming world it’s more than likely to get you a loss because most games I played seem to favor the noob friendly kamikaze aggressive style, or rushing. However, that just makes me enjoy defense even more, who wants to take the uneducated inexperienced easy way out?  In the real world all out no fear, attack is not a legitimate info sec strategy for obvious reasons.

First it’s well documented how the “bad guys” have changed over the last 2 decades from notoriety seeking weekend hackers, to “hey I can make money at this” full time hackers, to organized criminal gangs.  What I don’t hear enough about is the current migration from gangs to an underground criminal marketplace, and that is just plain frightening.  Organized crime is dangerous and hard to stamp out but it’s a threat that can be met with equal good guy organization and cooperation.  Like when it took Elliot Ness and the federal government to stamp out the mobs and corruption of the 30’s.   Complicated Bad can be fought with complicated Good, hard but doable.  But how do you fight a decentralized economy of goods/service providers with a specialized skillset, profiting off loose, dynamic, and temporary connections to others?  That is really hard to do. Now throw in more recent fully state sponsored agencies targeting small subsets of the internet (Advanced Persistent Threat [APT] attacks on Google) and you’ll see why Information Security is so much in the news these days.

So here are some of my humble thoughts on how to counter act the new threats.

Preparation:

• Organization
  • Like having to streamline and color code you’re A/V cable connections, organization is a critical first step. To further the analogy just as your Stereo, TV, DVD, PS3 wires will still work in a rat’s nest, but troubleshooting/maintenance is a headache, and interference is more pronounced. Your network nodes need VLANS and subnets to be given out and arranged in such a way that traffic can be categorized for same reasons as stereo wires.  This does not actually provide security (i.e. reduce risk) but this preparation greatly enhances your ability in the identification and containment phases.

• Network Segmentation
  • Once your LAN is organized (NOT an easy thing to retrofit, everything just works on VLAN 1 right? you need to introduce the security (i.e. break things) by creating ACLs that actually limit traffic between groups that need to talk to each other.  This is where you get intimate knowledge of the network.  The thing that makes modern malware possible is the communication between it and its target, if every computer was an air gapped silo, you’d need sneaker net to infect them, then it comes down to Physical security which I consider out of scope of this discussion. So in my mind the Achilles heel of today’s threats is in their communication. After all w/o physical access, hacking can really be boiled down to this;
    • Black hat sends code to get data
    • Data is sent back to him

    That “sending” of code/data is were we have to strike for identification. With the current state of enterprise LANs you just can’t stop infections/targeted attacks 100% of the time.  While relatively old school blacklisting/reputation signature based techniques are needed (AV, IPS, URL and SPAM filters, DNSBL etc) I believe the future is in whitelisting inbound/outbound/internal traffic, in other words default deny.  The biggest advantage defenders have is that you can say almost w/o a doubt that the malicious code will come in and/or go out through your front door (inet connection). In other words you already know where the majority of attacks will come from, before you even start defending!

Indentification:

• Network Visibility

Once you’ve limited your attack surface with whitelisting filtering/segmentation, you need to monitor what traffic you do allow, but you can’t secure what you can’t see.  Which is why Network intelligence, next generation firewalls, log consolidation and correlation are all buzz words these days, they allow you to see so you can secure.  Principal of least priviledge FW controls are like boxing in the dark.  You can only protect (block) so much, and hope the hits don’t hurt.  See bad guys have to use your LAN to transfer the data; sending code in and then sending ill gotten data back to themselves. Yes they have encryption, custom protocols, obfuscation, seemingly infinite bot provided IPs\URLs so they can be very good at camouflaging their traffic. This is why network visibility must include a record of your past, present, and future traffic.

Because, the one thing they can’t control is what happened BEFORE they got on your network.  So if you can log, are able to data mine, and then alert on what is out of the historic norm along with common attack vectors/unexpected traffic patterns you bypass the bad guy’s above disguising techniques and at the same time the things that make the usual signature based detection so hard.  You are looking at the behavior of traffic not diving into the data is contains.  This is also where organization comes in, if I want to be alerted when any desktop client talks to a SQL server, or directly to a Server’s iLo port (everyone’s using the jumpbox right?), internet server on port 25 (Spambot), 31337(backdoor), or why is the DMZ web server suddenly getting inbound traffic to port 21 (Warez) how can I set that if all IPs are in the same or random subnets?  Individual alerts for every source and destination IP?  Ouch, that doesn’t scale well.  You need something like

• Desktop subnet:any to Server subnet:<choosen iLo port> alert
• Desktop subnet:any to !Rfc1918 subnet:25,31337  alert
• Desktop subnet:any to SQL DB servers subnet:1433,1434 alert
• DMZ Server subnet:any to any:21 alert

In summary, the steps above will take a strong stomach from upper management, committed and knowledgeable info sec professionals, and a change to the default enterprise network access model of filtered inbound, but wide open outbound, and internal traffic. Clearly this level of security is not for all companies, as it will break things and cause many complaints from userland trying to goto non-work related destinations.  But I honestly believe such defensive models will become what is required to keep the critical data safe as the internet becomes ever more embedded in human society it will increasingly be used as a vector to get the data needed by the bad guys. The sophistication of attacks will only going to get worse from here…

On December 29th 2009  I noticed a story come across the wires about the singer Van Morrison and Gigi Lee having a baby. This was picked up by the Associated Press and many legitimate news outlets.  Turns out it was a carefully orchestrated plan to drive traffic for keywords already seeded on hacked websites that redirected to mostly known fake AV malware servers (more on that at bottom).  Not knowing this at the time I did a quick google search out of normal user interest and got these results…

Being the paranoid security guy I am, I immediately noticed the similarity in the URLs  and that they weren’t domain’s of news sites.  For example domain.com/xxx.php?=gigi%20… or domain.com/xxx.php?=van%20…  Hmmmm, those don’t look like legit results to me.  Welcome to the world of Blackhat SEO, I don’t presume to be the end all authority on this as Dancho Danchev and others Sophos have been tracking this for years. But this was a new twist, the bad guys were not grabbing the currently hot top search results (like when a celebrity dies) and competing with other pages to get their rank high, they INVENTED the keywords  and already had the seeded keywords in Google’s page rank before attacking Van Morisson’s website!  Gotta to respect the ingenuity, wish they were on the good guys side. Whatever Google is doing to counter the bad guys from gaming their page rank algorithm it isn’t working very well, although in this instance Google was working as intended.  If a malware author can poison a person’s view of the web (search engine results) then the average user doesn’t have much of a chance.  Turns out any one of the links redirected me to a known malware page. I followed them with Malzilla, here’s an example…

…. ALL LINKS CHANGED SLIGHTLY TO PROTECT INNOCENT….

1. First the click to Google’s search results
http [break] ://www.google.com/url?sa=t&source=web&ct=res&cd=17&ved=0CB8QFjAGOAo&url=

http%3A%2F%2Fxxxxx-law.com%2Fmvf.php%3Ft%3Dgigi%2520lee&ei=8K06S8yYFpS2swOKg_XBBA&usg=AFQjLNG7qREztsl9Fo0TC6RUCWNaB5Vp_A&sig2=48nUTmo26vz49MerFAydtg

2. Redirects to the search result

HTTP/1.1 302 Found
Location: http [break]://xxxxxx-law.com/mvf.php?t=gigi%20lee
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Dec 2009 17:04:04 GMT

Which is a .php script that looks like it’s taking an input of “t=gigi lee”  (the %20 is an encoded space) So I tried it w/o correct input and with “wget” default user-agent and was cleverly 301 redirected to cnn.com homepage, I thought that was a nice touch by the bad guys.

3. Continuing with the correct link gets me too, (hmmm  random .pl domain not a good sign.  No offence intended to Poland)

HTTP headers:

HTTP/1.1 302
Date: Wed, 30 Dec 2009 17:04:12 GMT
Content-Type: text/html
Server: Apache

Location: http [break]://vby1x4.xoeg .pl/in.php?t=cc&d=29-12-2009_tr2&h=xxxxxx-law.com&p=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3D…. snip….6vz49MerFAydtg

4. Then finally the below link which my endpoint HIPS stopped.  Just from the link you can tell it’s a fake AV Trojan and probably a couple exploits to go along with it (I didn’t go down the rabbit hole any farther).  Also I was impressed with Firefox WOT add-on (link) as I kept having to disable it to follow the redirects with FireFox.  Definitely recommend it, along with no_script of course

HTTP/1.1 302 Found
Date: Wed, 30 Dec 2009 19:08:52 GMT
Server: Apache/2.0.55 (Unix) PHP/5.2.1
X-Powered-By: PHP/5.2.1
Location: http [break] ://createpc-pcscan-kokn .net/?uid=195&pid=3&ttl=e11476d0489

So I was intrigued by this .php file that they were able to upload to many websites like the example above which is a law firm in Boston Mass. I contacted several of them to tell of the infection and to ask if I could get a copy of that server side .php script, but none have done so.

So the whole thing was an elaborate scheme to get hits as it was most likely the same group of hackers that compromised the singer’s website and started the whole thing.  I was wondering how they knew to upload the files with the right keywords before the news broke and had figured they must have ongoing access to adjust the keywords or replace the .php depending on the current news story, which still could be true. The AP picking up the story must have had the bad guys celebrating for sure.

From BBC news site:

The Belfast-born 64-year-old said he had been the victim of an internet hacking attack that had placed “falsehoods” on his official website. BBC News was one of several outlets to report the hoax as fact.”The comments which appeared on my website did not come from me,” he [Van Morrison] said, in a statement issued to the media. The singer said he had asked his management team to carry out an immediate investigation, adding it was the second time his website had been hacked in the last three months.

Link to MTV talking about it.  They missed the point though it wasn’t an innocent hoax, it was motovated by the second oldest story book…..Money.

One lesson I remember learning during my teen years was the world is really shades of gray, not so much the black and white it seems when you’re younger.  The same principal applies to malware, what really is…bad?  If an AV scanner asks for payment before clears your spyware cookies and removes other fake AV installs is it malware?  What if separate 3^rdparty affiliates install it w/o your or manufacturer’s permissions, through an exploit, social engineering, or by forcing you to opt-out? What if they steal other companies detection DBs as in the iobit and malwarebytes saga? Apple installs file sharing software (Bonjour) w/o notification and with opt-out techniques (Google Toolbar, Quicktime) when installing iTunes. Does that make Apple a spyware purveyor?  Again, shades of gray.

So what is the user/IT tech to do? Well there’s no easy answer, and in my humble opinion you have to trust but verify with research.  Check already trusted forums/websites of whitehats and coworkers along with other trusted IT user’s opinions.  In short, do your homework before installing any software on your machine.

Along these lines an interesting thing happened while I was dealing with a small outbreak of Vundo.Trojan at work. Our AV vendor didn’t detect the sample yet so I recommended for the IT staff to install update and run malwarebytes in safemode. For various reasons one infected computer had no immediately available IT rep so it was left up to the user.  When getting to the download link he was tricked by a deceptive (my opinion) advertisement on download.com (Right hand “Bad Link” in screenshot below) to install a “shades of gray” program called CyberDefender instead of malwarebytes (a trusted whitehat community supported malware scanner).

Tricky Tricky for the average user

This program has a history of being considered actual malware, but apparently was taken over by different management whose is supposedly trying to legitimatize it circa 2006.  I decided to check it out a bit and am suspicious enough to recommend NOT installing it.

Some issues that make me dubious to install the software…

• Inflates the severity of the findings (ie. Detected sysinternals processmonitor as a HIGH risk)
• Opens a high tcp port and listens on it. (In 2 separate installs and 1 reboot on a clean VMware image I saw 1^stcdas.exe listening on tcp/5710, 2^ndcdas45.exe on tcp/5754, and 3^rdon reboot saw tcp/5779 (from THE SAME installer file))
• Advertises with shady deceptive ads
• Finds different threats with a program uninstall/reinstall and subsequent rescan with Cyberdefender
• Offered me to buy the product for 250.00 after an add/remove programs uninstall (clearly a ripoff)

A big part of being a security analyst is figuring out why something you admin is blocking what a customer is trying to get to.  I actually like those problems because I look at them like a mini-puzzle. The key to these issues, and many others for that matter, is being able to recreate the trouble with your own equipment.  I usually tell people, if it’s blocked for me too then I will be able to fix it.  The hard problems come when it’s an occasional issue, or only from one part of the network, etc.

Anyway, the latest scenario involved a city employee trying to get to a local high school’s website to get their layout.  The site was blocked with the category pornography, which seemed like a miscategorization.  After recreating the problem on my desktop I got a hunch, which leads me to the reason for this post.  I headed to google and searched “site:xxxxxx.edu nude”  and it came back with the results that would make any webmaster wince.  Pictured below (anonimized to protect the innocent)…

So that was quickly solved by making the school’s webmaster aware of the injected HTML SEO poisoning keywords and asking our vendor to re-evaluate the site once cleaned.  But more to the point such Google searches are a really cheap way to do some manual monitoring for websites under your protection. I personally do searches like these every few weeks, on the off chance one day I will get something other then no webpages found.  Don’t forget to submit requests to clear the major search engine’s cache if you’re hit or these results will stick around for a while.

PS I’ll leave it up to the reader’s imagination on which keywords to use.

I have an email address set up that customers can send false negative SPAM to should it get through the Email gateways.  One I received the other day shows just how allowing country IP blocks to be searched would benefit anti-spam gateways to clean up the relatively few number of false negatives they let through. I blogged about that below.

 The below is a cleaned up part header of an email one of my coworkers received that was a 419 SPAM with a word attachment delivering the social engineering “payload.”  It was sent from what I believe to be a Sun OS webmail server from a large well known east coast university ( I have notified the who-is abuse contact already.)   The IP from Nigeria ( 78.138.3.237), is what directly connected to the webmail server with an account of a college user and sent the SPAM through an already trusted infrastructure.  If the college or I was able to search for Nigerian IPs anywhere in the received lines this would have been dropped or quarantined.

Received: from iron1-smtp.xx.xxxx.edu ([xxx.xxx.127.241])  by
SannetSmtp1-in.sannet.gov with ESMTP; 25 Jun 2009 10:09:32 -0700
X-SenderBase: None
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMJAEZMQ0qApIMj/2dsb2JhbACONYhfgkyocIc9iE6EDQU
X-IronPort-AV: E=Sophos; i=”4.42,291,1243828800“; d=”scan’208″;a=”44717911″
Received: from optimus.xx.xxxxx.edu (HELO xxxx.edu) ([xxx.xxx.131.35])  by iron1-smtp.xx.xxxxx.edu with ESMTP; 25 Jun 2009 13:09:34 -0400
Received: from [78.138.3.237] by prime.xx.xxxxx.edu (mshttpd); Thu, 25 Jun
2009 18:09:34 +0100
From: Rxxxxx Hxxxxx <rxxx@xxxxx.edu>
Message-ID: <fce1a4442b7d.4a43bd5e@xxxx.edu>
Date: Thu, 25 Jun 2009 18:09:34 +0100
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.04 (built Aug 17 2006)
MIME-Version: 1.0
Content-Language: en
Subject: Respond ASAP
X-Accept-Language: en
Priority: normal
Content-Type: text/plain; charset=”us-ascii”
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Return-Path: rxxxx@xxxx.edu

My displeasure for the “send me money” scammers has been documented in previous entries so I won’t bore you with that again, although I did want to talk about an idea I had to fight those losers.  Basically I want to write SMTP gateway Anti-SPAM policy that can filter for IP address ranges (dashed range or CIDR) in ANY received header.  I have a feature request into our vendor for this very ability and am looking forward to seeing how well it will work if they can make it happen.

My reasoning behind this is to fill in a gap that I see in the current Anti-SPAM tactics, which are mainly sender IP reputation and content matching.  419 emails seem to be best making it through those traps because the “last hop” before your SMTP server is some bot host here in US or the most commonly they are sent from a free email service directly (Yahoo, Gmail, Hotmail, etc) so sender reputation isn’t all that effective (neither is SPF, SenderID, DKIM) and since they are very businesslike text, content catching the Spammyness is also hard.   However, if I was able to look for trouble country IP ranges in any of the SMTP Received lines there’s a good chance I could catch many of these sent from or through foreign nations.

See some of the free webmail providers include this line to show the IP address of the computer that sent the through the browser.

Received: from [79.80.169.10] by web36802.mail.mud.yahoo.com via HTTP; Sun, 31 May 2009 17:00:44 PDT

Being able to filter on the CIDR ranges (countryipblocks.net or maxmind.com) in any received line, not just the last one with sender reputation, would greatly increase the granularity for keyword lists.  For example you can write a 419 keyword policy but you will get MANY false positives if you apply it to all email, whereas I’d like to check it only if the email was sent from or through for example Nigeria, China,  Romania,  Russia, or Poland IP ranges.  Pseudo policy below….

#SPAMKeywordsfromNigeria

SPAM_KeywordsInBodyorAttachment:

If (dictionary-contains (‘SPAM_Keywords_BodyorAttachments’)) AND

If (header-dictionary-received-contains (‘NigerianIPs’))

{

Quarantine (’419 from Nigeria’);

}

I’ll update my blog if I’m able to apply this and how effective it is.