Re: [mailop] Talos Blocklist?

2017-08-04 Thread TR Shaw 
Chris

curl -L https://talosintelligence.com/documents/ip-blacklist -o 
talos-ip-blacklist

Tom

> On Aug 4, 2017, at 4:44 PM, Chris Boyd  wrote:
> 
> 
>> On Aug 4, 2017, at 3:23 PM, Eric Tykwinski  wrote:
>> 
>> I use it for hosts.deny, so a bit of everything...
> 
> Good idea.  How do you download it? Looks like the web developers had their 
> way with it, so you have to download a small pile of javascript just to get 
> the URL on S3 :-(
> 
> —Chris
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Malware hosted @ Mailchimp

2017-04-03 Thread TR Shaw 
Its down

> On Apr 3, 2017, at 8:53 AM, Tara Natanson  wrote:
> 
> I'm not sure if MC is here.  I've reached out to them though as they are 
> usually very responsive.  
> 
> Tara 
> (Constant Contact)
> 
> On Mon, Apr 3, 2017 at 7:59 AM, Joao Gouveia  > wrote:
> Hoping there's someone here from Mailchimp or that can reach them.
> 
> Copy / pasta from another mailing list follows:
> 
> HTML link in email body to 
> hxxps://gallery.mailchimp[.]com/907970247e4b173c3d98f70d0/files/22295f1e-32a3-4206-9266-3363a9b1c932/PO_MA0402.zip
>  
> Zipfile "PO_MA0402.zip" (MD5: 587c2a1b674a4db221414ec35feba9d4)
> VT 8/59 
> https://virustotal.com/en/file/bef5083028f3ed4f3274639efb967c91df9f148e3ebe8aa37187a6aacf4d7761/analysis/
>  
> 
> 
> Contains PE32 executable "PO-MA0402.exe" (MD5: 
> 1d05d44d34834c6426328dd66f1bad60)
> VT 9/61 
> https://virustotal.com/en/file/32f25b3373b16d6ecbd28ee9ae4401d6e3ff2383a5615c9d117639763bde07d7/analysis/
>  
> 
> Hybrid   
> https://www.hybrid-analysis.com/sample/32f25b3373b16d6ecbd28ee9ae4401d6e3ff2383a5615c9d117639763bde07d7
>  
> 
> Triggered Sandbox signatures for Nanocore
> Network traffic to sroom77.ddns[.]net:6060 (213.183.58.10 / AnMaXX RU)
> Network traffic to sroom0.ddns[.]net:1414 (154.16.220.26 / AnMaXX RU)
>  
> Malspam also beacons to wwl1526.daum[.]net:4280 (114.108.152.142, ibi.net 
>  / KIDC KR) with sender, recipient, & Message-ID.
>  
>  
> Relevant Headers:
> Received: from mail-smail-vm30.hanmail.net 
>  (HELO mail-smail-vm30.hanmail.net 
> ) (203.133.180.214); 2 Apr 2017 23:06:50 
> -
> Received: from mail-hmail-was8.s2.krane.9rum.cc 
>  ([10.197.10.50]) by 
> mail-smail-vm30.hanmail.net 
> (8.13.8/8.9.1) with SMTP id 
> v32N6Tnj016338; Mon, 3 Apr 2017 08:06:29 +0900
> Date: Mon, 3 Apr 2017 08:06:35 +0900 (KST)
> From: AL SUOMA TRADING  >
> To: alsoumatrading http://yahoo.com/>>
> Subject: PURCHASE ORDER
> Message-ID: <20170403080635.2lPyQhCZTAeMfh0UBMgECw @ 
> ringbell6180.hanmail.net >
>  
>  
> Body:
> ---
> Please find attached a purchase order.
>  
> Kindly send us your best price,  as per  the  below  specifications.
> We look forward to receiving your confirmation.
>  
> Also appreciate if you could reply to the following :
>Technical Drawings and Data Sheets 
>Confirm the weight & dimension of the shipment box 
>Delivery 
>Payment Terms   
>Warrantee Term 
> Kindly confirm receipt of the PO by return email.
>  
> Best Regards,
>  
> Samir
> Procurement Officer
> PURCHASE
>  ORDER pdf 1411 KB
> www.alsmoumatrading[.]com
>  
>  id="confirmMailBeacon">  =redacted%40site.com 
> =%3C20170403080635.2lPyQhCZTAeMfh0UBMgECw%40ringbell6180.hanmail.net
>  %3E">
> ---
> TLP:Green
>  
> 
> ___
> mailop mailing list
> mailop@mailop.org 
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
> 
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread TR Shaw 
You might want to checkout e-hawk.net as Franck suggested. Or checkout others 
in area. 

> On May 24, 2016, at 9:53 PM, Robert Mueller  wrote:
> 
> 
>> I wonder what the point is. How does the bad guy monetize it, or is it a 
>> coordinated attack against a specific victim? What other nefarious 
>> issues? Making the address useless or burying some other mail in the 
>> midst of the junk would seem to be a possibility.
>> 
>> If an attack against a specific victim, it would seem that unconfirmed 
>> marketing lists would be a more effective weapon than a bunch of random 
>> confirmation messages.
> 
> We saw this happen a while back:
> 
> https://blog.fastmail.com/2014/04/10/when-two-factor-authentication-is-not-enough/
> 
> About a month ago, our hostmas...@fastmail.fm account suddenly wound up
> subscribed to hundreds of mailing lists. All these mailing lists failed
> to use double or confirmed opt-in, so someone was simply able to enter
> the email address into a form and sign us up, no confirmation required.
> This really is poor practice, but it's still pretty common out there. A
> special shout-out goes to government and emergency response agencies in
> the USA for their non-confirmation signup on mailing lists. Thanks guys.
> 
> The upshot was that the hostmaster address was receiving significant
> noise. Rob Mueller (one of our directors) wasted (so we thought) a bunch
> of his time removing us from those lists one by one, being very careful
> to check that none of the 'opt-out' links were actually phishing
> attempts. This turns out to have been time very well spent.
> 
> -- 
> Rob Mueller
> r...@fastmail.fm
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] New method of blocking spam

2016-01-21 Thread TR Shaw 
Sounds like just another derivative of a scoring system like SA, ASSP, etc.

> On Jan 21, 2016, at 4:27 PM, Marc Perkel  wrote:
> 
> Because it works on NOT matching instead of matching they don't get the same 
> advantages as matching systems. If they try to fake one of those subjects it 
> only helps them pass one of hundreds of tests. So at best their fake will 
> make an opportunity to detect ham become neutral on the phrase.
> 
> Poisoning doesn't work against my system. Misspelling makes it easier to 
> identify spammers. And eventually the spammer has to convince you to do 
> something and that's where they get caught.
> 
> 
> On 01/21/16 13:17, Mark Jeftovic wrote:
>> Wouldn't spammers simply download this list and start using them in spam?
>> 
>> Even absent the list, knowing the methodology is enough to start
>> countering it.
>> 
>> - mark
>> 
>> 
>> On 2016-01-21 3:45 PM, Marc Perkel wrote:
>>> Just to follow up on this. I'm in the process of improving the filter.
>>> But I have filed my provisional patent so i'm going to give you an
>>> overview of how it works.
>>> 
>>> Most spam filters work by matching things. Matching ham and spam.
>>> Matching rules. The important point here in this is this new system I'm
>>> calling the Evolution filter is about NOT matching.
>>> 
>>> Suppose I sent you an email with the subject line "Let's get dinner".
>>> You can tell instantly this is good email. How? Because spammers never
>>> say "Let's get dinner".
>>> 
>>> There are millions of phrases used in good email every day that are
>>> never used in spam. And - there are millions of phrases used everyday in
>>> spam that are never used in good email. So if I get an email that
>>> matches phrases used in good email and never used in spam - it's a good
>>> message. And if the messages contains words and phrases used in spam and
>>> never used in ham - it's spam.
>>> 
>>> So - how do I get a list of all phrases never used in ham or never used
>>> in spam? I make a list of all words and phrases used in ham and spam and
>>> test to see if it's NOT in the list. To illustrate my point,
>>> 
>>> Here is a list of 5505874 words and phrases used in the subject line of
>>> HAM and never seen in the subject line of SPAM
>>> 
>>> http://www.junkemailfilter.com/data/subject-ham.txt
>>> 
>>> Here is a list of 3494938 words and phrases used in the subject line of
>>> SPAM and never seen in the subject line of HAM
>>> 
>>> http://www.junkemailfilter.com/data/subject-spam.txt
>>> 
>>> The thing about not matching is that matching involves finite sets. Not
>>> matching involves infinite sets. And infinite sets are always bigger
>>> than finite sets.
>>> 
>>> Here in a link to my patent.
>>> 
>>> http://www.junkemailfilter.com/patent/
>>> 
>>> What I intend to do is to give it away to the little guys and charge the
>>> big guys a small license fee. The process of implementing this is fairly
>>> easy. I'm hoping to encourage the open source world to take this idea
>>> and do it right. My code it cobbled together and uses 4 different
>>> languages. But the concept is enough to get you going.
>>> 
>>> One thing you will need to implement this is Redis. Redis is extremely
>>> fast at set comparisons and set comparisons is how this works. It's can
>>> be expressed as one formula.
>>> 
>>> score = card(SpamCorpus intersect TestMessage diff HamCorpus) -
>>> card(HamCorpus intersect TestMessage diff SpamCorpus)
>>> 
>>> I'm seeing an accuracy level that is so close to 100% it's scary. It is
>>> especially good at actively identifying good email to prevent false
>>> positives.
>>> 
>>> I will post more soon as it all comes together.
>>> 
>>> 
>>> 
>>> 
>>> ___
>>> mailop mailing list
>>> mailop@mailop.org
>>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> -- 
> Marc Perkel - Sales/Support
> supp...@junkemailfilter.com 
> http://www.junkemailfilter.com 
> Junk Email Filter dot com
> 415-992-3400
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org 
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
> 
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Application for rsync access to CBL

2015-12-16 Thread TR Shaw 
Also through http://securityzones.net/

> On Dec 16, 2015, at 1:24 PM, Daniele Duca  wrote:
> 
> Hi Anthony,
> 
> we do have rsync access to Spamhaus feeds, but we obtained it through one of 
> their resellers, Spamteq, https://www.spamhaustech.com/ 
>  (probably there are also others, I don't know)
> 
> Once registered you require the trial and they follow up pretty quickly
> 
> Hope it helps
> 
> Regards,
> Daniele Duca
> 
> On 16/12/15 18:09, Rodgers, Anthony (DTMB) wrote:
>> Hi there,
>>  
>> We have made an application to Spamhaus for access to rsync the CBL, and 
>> followed up with email to 'c...@abuseat.org ' as 
>> recommended in the directions, but have not heard back in days.
>>  
>> Does anyone know if rsync access to the CBL is still a thing? Has anyone 
>> been recently successful in obtaining it?
>>  
>> --
>> Anthony Rodgers
>> Security Analyst
>> Michigan Security Operations Center (MiSOC)
>> DTMB, Michigan Cyber Security
>>  
>> 
>> 
>> ___
>> mailop mailing list
>> mailop@mailop.org 
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
>> 
> 
> ___
> mailop mailing list
> mailop@mailop.org 
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop