Re: sneaky pharma spam shooting past standard rules
Rick Knight wrote: What are using to filter on HELO-no-dots? I've looked at milter-regex, but I can't get it to build on my slackware 12 system. In postfix, it's easily done with smtpd_helo_restrictions= check_helo_access=pcre:/etc/postfix/table Table would contain a line like this: /^[^.]+$/ 554 something /Per Jessen, Zürich
svn rules and viewvc
i used to be able to use wget to easily download rules from jhardin and other sandboxes now with this new viewvc, it is a total pain in the backside to do anything. how do we make it so it is easy to get the sandbox rules again? - rh
Re: [SA] SpamAssassin is not a filter
Adam Katz wrote: If you own a company trying to *trademark* something with the word Spam in it (e.g. SpamArrest), that infringes upon their trademark. If you own a company with a product with the word Spam in it and you don't try to trademark it (e.g. SpamAssassin, SpamCop), they won't pursue (as it would be along fair use law rather than trademark law). The EU trademark database has 44 hits on registered trademarks containing 'spam', including Spamhaus, Spamfighter, SpamTrap, noSpam Proxy, Spamfinder, SPAMNET and SPAMASSASSIN. /Per Jessen, Zürich
RE: exclude domain from server-wide
I am running a qmail + simscan + spamassassin + clamav on a centos 5.3. Regards s..a..l...@gmail, there are many ways to do it... you could try @example.com in your /var/qmail/control/badmailfrom might work... depending on some factors... you could smtp reject above a certain score and do a blacklist in your SA configs and reject it that way... lots of ways... be creative... - rh
Re: sneaky pharma spam shooting past standard rules
On 15.10.09 10:22, Rick Knight wrote: I'm using Sendmail and I've built it with milter support. use FEATURE(`block_bad_helo') in sendmail.mc On 15.10.09 13:02, John Hardin wrote: Has it been made easier to exclude netblocks - like your local network - from that check? You don't want to do HELO rejects on mail originating from local network MUAs that are misconfigured. it can be done via access_db Connect: option. That is used by FEATURE(`access_db'). it also needs FEATURE(`delay_checks') as said in cf.README(.gz). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: sneaky pharma spam shooting past standard rules
On Thu 15 Oct 2009 09:24:44 PM CEST, Matus UHLAR - fantomas wrote FEATURE(`block_bad_helo') in sendmail.mc On 15.10.09 21:50, Benny Pedersen wrote: if i remember sendmail it need to be added in sendmail.m4 and when saved, m4 sendmail.m4 will create sendmail.mc the rules have to be in sendmail.cf which is being regenerated from sendmail.mc. I don't know how often and why you use to create sendmail.mc from sendmail.m4 in Debian, I only update sendmail.mc and run 'sendmailconfig'. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: svn rules and viewvc
On Thu, 2009-10-15 at 23:35 -0700, R-Elists wrote: i used to be able to use wget to easily download rules from jhardin and other sandboxes now with this new viewvc, it is a total pain in the backside to do anything. The SA team has no control over this at all. It's ASF infrastructure. how do we make it so it is easy to get the sandbox rules again? Use svn. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [SA] sneaky pharma spam shooting past standard rules
15.10.2009 22:43, Adam Katz kirjoitti: A score of 6 is FREAKISHLY high, even for something with a very low FP rate. I'd score that around 1.2 if I trusted it. I like it, so I'm throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now: # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19 header MC_TAB_IN_FROMFrom:raw =~ /^\t/m describe MC_TAB_IN_FROMFrom: Contains a tab scoreMC_TAB_IN_FROM0.6 # 20091015, considering bump to 1.2 Removed mine from local.rc as it will come to me later in an update then. The current problem is possible duplicate rules in my rc.local and KHOP ruleset.. Have to take time for a clean up. -- http://www.iki.fi/jarif/ Habit is habit, and not to be flung out of the window by any man, but coaxed down-stairs a step at a time. -- Mark Twain, Pudd'nhead Wilson's Calendar pgpTdDWDRWfv5.pgp Description: PGP signature
Re: svn rules and viewvc
On Thu, 15 Oct 2009, R-Elists wrote: i used to be able to use wget to easily download rules from jhardin and other sandboxes now with this new viewvc, it is a total pain in the backside to do anything. how do we make it so it is easy to get the sandbox rules again? - rh Karsten beat me to it. Check out what you want using SVN and pull it into your local config using symlinks or a lint-then-copy script. Keeping current is a simple matter of svn up (plus the processing script, if you're doing that). Caveat, though: the sandbox is for testing rules. They may break your setup, the rule names may change arbitrarily, the rules may disappear without warning, and scores will probably not be assigned. I strongly suggest you have a zzz_sandbox_scores.cf file where you assign your own (conservative) scores to sandbox rules you are pulling into your production SA. Unfortunately there's no way to say turn off all rules in file X except for Y and Z, which would make using sandbox files in production a little safer. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Users mistake widespread adoption of Microsoft Office for the development of a document format standard. --- 15 days since a sunspot last seen - EPA blames CO2 emissions
Other DNSBL's
I'm looking to add other DNSBL's to tomorrow's weekly mass check. I realize most of them probably are too broken to bother, but it would be nice to get some real numbers to confirm it so since the Internet lacks any real DNSBL comparisons that include Ham FP safety. http://antispam.imp.ch/06-dnsbl.html This one seems to have 3% of the hits compared to PSBL, so I am not bothering to test it in masscheck. http://bl.csma.biz/ It seems that this blacklist is simply dead. Zero hits on their SBL list within the last day. Any other DNSBL's out there that you folks use that are worth comparing? Warren Togami wtog...@redhat.com
Re: sneaky pharma spam shooting past standard rules
On 15-Oct-2009, at 19:36, MySQL Student wrote: smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit I'm currently using reject_non_fqdn_sender and reject_non_fqdn_recipient. Completely different restrictions. The sender/recipient refer to the envelope information, the helo restrictions refer to the helo name the server sends. So, for example helo zombie-pc mail from:u...@gmail.com rcpt to:u...@example.com that will pass your restrictions on example.com and be rejected by my helo restrictions. smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_client_access hash:/etc/postfix/client_access, reject_unauth_destination, check_recipient_access pcre:/etc/postfix/relay_recips_access, reject_unauth_pipelining, reject_invalid_hostname Mine are rather more aggressive: smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, permit_mynetworks, check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access pcre:$config_directory/sender_access.pcre, check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit You should certainly have permit_mynetworks down the list (why would you allow even local users to send to unknown domains, non-fqdn's, or invalid domains?) (check_client runs greylisting checks) -- http://en.wikipedia.org/wiki/TOFU
Re: Other DNSBL's
On Fri, Oct 16, 2009 at 09:41:57AM -0400, Warren Togami wrote: I'm looking to add other DNSBL's to tomorrow's weekly mass check. I realize most of them probably are too broken to bother, but it would be nice to get some real numbers to confirm it so since the Internet lacks any real DNSBL comparisons that include Ham FP safety. http://antispam.imp.ch/06-dnsbl.html This one seems to have 3% of the hits compared to PSBL, so I am not bothering to test it in masscheck. http://bl.csma.biz/ It seems that this blacklist is simply dead. Zero hits on their SBL list within the last day. Any other DNSBL's out there that you folks use that are worth comparing? Not that it isn't a worthy cause, but you can't just start adding arbitrary unknown lists to mass checks. Some of them might crumble from the sudden mass check flood. IMO a centralized rsync datasource for all the mass checked BLs would be nice. Wonder if someone had the connections to pull it off? It would save resources from all and speed up the checks. Spamhaus etc would only need to donate the data once a week.
Re: sneaky pharma spam shooting past standard rules
Henrik K wrote: On Thu, Oct 15, 2009 at 03:43:52PM -0400, Adam Katz wrote: # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19 header MC_TAB_IN_FROMFrom:raw =~ /^\t/m describe MC_TAB_IN_FROMFrom: Contains a tab scoreMC_TAB_IN_FROM0.6 # 20091015, considering bump to 1.2 You missed the important post: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200908.mbox/%3c200908222035.57647.mark.martinec...@ijs.si%3e Ah, right. That should be /s rather than /m, as in: header MC_TAB_IN_FROMFrom:raw =~ /^\t/s (Since /^\t/s == /\A\t/m == /\A\t/s == /\A\t/ ) I think carrot is more legible/recognizable than \A, and /\A\t/ and /\A\t/s are pointless since \A only differs from ^ when using /m. (Maybe that's just because I use regexps in perl, vim, and javascript. \A only works this way in perl, while ^ inside /s works everywhere.) If I'm wrong anywhere, please do correct. My channel has this update pending for its next release.
Re: [SA] sneaky pharma spam shooting past standard rules
On 10/15/2009 10:56 PM, Henrik K wrote: You missed the important post: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200908.mbox/%3c200908222035.57647.mark.martinec...@ijs.si%3e For general use, the rule should be tightened. The relaxed version only hit mailing lists from a particular, custom news forum / SMTP gateway. 15.10.2009 22:43, Adam Katz kirjoitti: A score of 6 is FREAKISHLY high, even for something with a very low FP rate. I'd score that around 1.2 if I trusted it. I like it, so I'm throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now: The high score ensured a forced quarantine, where manual inspection validated the results. 0 is indeed a very low FP, at least on our server over the course of several years. I agree, its best to reduce that freakish score for mass use. :-) # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19 header MC_TAB_IN_FROM From:raw =~ /^\t/m describe MC_TAB_IN_FROM From: Contains a tab score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2 Nice to see it has been useful. -- Mike
Constant Contact
Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? In preparing a list of HOSTKARMA_W violators for Marc, I noticed a very large amount of spam, coming from completely different companies, was sent through constantcontact.com servers using their Safe Unsubscribe feature. After some web searches, I decided to use the unsubscribe feature, but apparently I needed to unsubscribe every email address with every company that uses constantcontact.com. To me, this means it is quite clear that Constant Contact's anti-spam policy is improperly enforced at best and flagrantly ignored at worst. The biggest problem is that they're well seeded in the DNS whitelists, including HostKarma and IADB, and they often use SPF, which gets the OK from my double-check in khop-bl. Before I write a custom rule to add points to anything passing through a constantcontact.com relay, I was wondering if anybody here had thoughts on this. (Note, questionable custom rules like this get tested on my production servers with near-zero scores, then real scores, and /then/ they find their way to my sa-update channels.)
RE: Constant Contact
I've heard ads on the radio for Constant Contact before, so I would guess they're legitimate. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: Adam Katz [mailto:antis...@khopis.com] Sent: Friday, October 16, 2009 12:50 PM To: Spamassassin Mailing List Subject: Constant Contact Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? In preparing a list of HOSTKARMA_W violators for Marc, I noticed a very large amount of spam, coming from completely different companies, was sent through constantcontact.com servers using their Safe Unsubscribe feature. After some web searches, I decided to use the unsubscribe feature, but apparently I needed to unsubscribe every email address with every company that uses constantcontact.com. To me, this means it is quite clear that Constant Contact's anti-spam policy is improperly enforced at best and flagrantly ignored at worst. The biggest problem is that they're well seeded in the DNS whitelists, including HostKarma and IADB, and they often use SPF, which gets the OK from my double-check in khop-bl. Before I write a custom rule to add points to anything passing through a constantcontact.com relay, I was wondering if anybody here had thoughts on this. (Note, questionable custom rules like this get tested on my production servers with near-zero scores, then real scores, and /then/ they find their way to my sa-update channels.) smime.p7s Description: S/MIME cryptographic signature
Re: Constant Contact
Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Sometimes abused, but too legit to outright block based on sending IP, imo. The biggest problem is that they're well seeded in the DNS whitelists, Many of those whitelists are better used as don't check the sending IP against RBLs, but do all other content spam filtering... and should not be used as a skip filtering and send to inbox. Complaints liks this keep coming up for various whitelists. The usage alternative I just suggested may solve this problem for many people. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Constant Contact
Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Hi, Very legitimate. We have 4 or 5 clients who use it to send out emails to their subscribers. How ever, it can and does get abused by spammers from time to time, but they usually cut them off after receiving complaints. JMTC. Rick
Re: Constant Contact
On Oct 16, 2009, at 12:09 PM, Rick Macdougall wrote: Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Hi, Very legitimate. We have 4 or 5 clients who use it to send out emails to their subscribers. How ever, it can and does get abused by spammers from time to time, but they usually cut them off after receiving complaints. That has not been my experience. The responses I get from spam complaints just say they've removed my address from that person's list. As the original poster said they don't allow you to opt out globally. Nor do they make it easy to file an abuse complaint in the first place. There links at the bottom of the email to do all sorts of things but not to report the message as spam. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
RE: Other DNSBL's
Any other DNSBL's out there that you folks use that are worth comparing? Warren Togami wtog...@redhat.com Warren, ask michael scheidell... he has a list for you that is 100% effective... :-) - rh
Re: Constant Contact
Hi, Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Sometimes abused, but too legit to outright block based on sending IP, imo. In addition to constantcontact, can I add the following to the list of hosts I'd like people's input on as to whether it's spam: - blueskycommunications.com - pm0.net - topica.com I believe topica.com is very similar to constantcontact in that they send bulk mail for small businesses, and don't necessarily care what they send. The emails typically contain something like You may be eligible for a cash advance and a URL like macho-man-fitness.c.topica.com that is just a redirect to something like cashadvancenow.com. It's only on URIBLS grey list. Thanks, Alex
RE: [SA] SpamAssassin is not a filter
Per Jessen wrote: The EU trademark database has 44 hits on registered trademarks containing 'spam', including Spamhaus, Spamfighter, SpamTrap, noSpam Proxy, Spamfinder, SPAMNET and SPAMASSASSIN. In other news, Darrell McBride is hired by Hormel to bolster their lagging canned meat business. ;-) ...Kevin -- Kevin MillerRegistered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801fax: (907 586-4500
Re: Other DNSBL's
ask michael scheidell... he has a list for you that is 100% effective... yeah, like that same joke that grandpa keeps telling over and over.. the first time it was a little bit funny... but now it is annoying, particularly the way he is the only one in the room laughing each time. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Constant Contact
MySQL Student wrote: Hi, Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Sometimes abused, but too legit to outright block based on sending IP, imo. Just to add another data point -- There is a local network of small tech entrepreneurs in my region. They have an email list for discussing various aspects of running small businesses (sometimes just one person out of their home), and one of the questions that frequently comes up is how to get out bulk mailings to their customers. When that topic comes up, one of the most common recommendations, and what many of them use, is Constant Contact. It does the job cleanly and efficiently and fits in their budgets. Many of them have had an experience of trying to do it themselves and getting tangled up with their ISP's policies. So, even though I cringe when I hear a name like Constant Contact, it does serve a legitimate business need. -- --- Chris Hoogendyk - O__ Systems Administrator c/ /'_ --- Biology Geology Departments (*) \(*) -- 140 Morrill Science Center ~~ - University of Massachusetts, Amherst hoogen...@bio.umass.edu --- Erdös 4
Re: Other DNSBL's
R-Elists wrote: Warren, ask michael scheidell... he has a list for you that is 100% effective... seriously, google for 'blocked.secnap.net' give it a try, any ip address that you ever even got one spam on is listed. (note, if you use this list on a production system it will block legit email) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: Constant Contact
Chris Hoogendyk wrote: Just to add another data point -- There is a local network of small tech entrepreneurs in my region. They have an email list for discussing various aspects of running small businesses (sometimes just one person out of their home), and one of the questions that frequently comes up is how to get out bulk mailings to their customers. When that topic comes up, one of the most common recommendations, and what many of them use, is Constant Contact. It does the job cleanly and efficiently and fits in their budgets. Many of them have had an experience of trying to do it themselves and getting tangled up with their ISP's policies. So, even though I cringe when I hear a name like Constant Contact, it does serve a legitimate business need. And one more data point: a bunch of local parent-teacher organizations use Constant Contact for their newsletters and announcements. -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
RE: Constant Contact
Complaints liks this keep coming up for various whitelists. The usage alternative I just suggested may solve this problem for many people. -- Rob McEwen Mc, what usage alternative? - rh
Re: Constant Contact
UCSC uses them for various announcement messages as well (I think they're mostly in-bound (ie. sending to UCSC addresses), but I don't know if that's 100% true). So, while I can't speak to whether or not they send spam, I can vouch that they are sometimes used to send ham. JRudd On Fri, Oct 16, 2009 at 10:54, Miles Fidelman mfidel...@meetinghouse.net wrote: Chris Hoogendyk wrote: Just to add another data point -- There is a local network of small tech entrepreneurs in my region. They have an email list for discussing various aspects of running small businesses (sometimes just one person out of their home), and one of the questions that frequently comes up is how to get out bulk mailings to their customers. When that topic comes up, one of the most common recommendations, and what many of them use, is Constant Contact. It does the job cleanly and efficiently and fits in their budgets. Many of them have had an experience of trying to do it themselves and getting tangled up with their ISP's policies. So, even though I cringe when I hear a name like Constant Contact, it does serve a legitimate business need. And one more data point: a bunch of local parent-teacher organizations use Constant Contact for their newsletters and announcements. -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
RE: Constant Contact
here is a fine chance for everyone to vote on some new rule names... ill seed it... CONSTANT_PITA_BULK1 let's be creative now, it's Friday! well, it is always Friday, but you get the point... - rh
Re: Constant Contact
R-Elists wrote: Complaints liks this keep coming up for various whitelists. The usage alternative I just suggested may solve this problem for many people. Just what I said. If an IP whitelist cause too many spams to get a free pass, then instead of using that whitelist as a free pass to the inbox... instead... use it to bypass all checking of the sender IPs against blacklists, but still do content spam filtering on the message. This is actually what Marc Percel recommend with his Yellow list. I'm simply stating that this approach is good for additional whitelists if/when someone likes the whitelist overall, but find it leads to too many FNs. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
RE: Constant Contact
So, even though I cringe when I hear a name like Constant Contact, it does serve a legitimate business need. snip Chris Hoogendyk Chris, -1 no disrespect to you intended, yet says who? our general experience with Constant Contact is negative. - rh
Re: Constant Contact
On Friday 16 October 2009, Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? In preparing a list of HOSTKARMA_W violators for Marc, I noticed a very large amount of spam, coming from completely different companies, was sent through constantcontact.com servers using their Safe Unsubscribe feature. After some web searches, I decided to use the unsubscribe feature, but apparently I needed to unsubscribe every email address with every company that uses constantcontact.com. To me, this means it is quite clear that Constant Contact's anti-spam policy is improperly enforced at best and flagrantly ignored at worst. The biggest problem is that they're well seeded in the DNS whitelists, including HostKarma and IADB, and they often use SPF, which gets the OK from my double-check in khop-bl. Before I write a custom rule to add points to anything passing through a constantcontact.com relay, I was wondering if anybody here had thoughts on this. That domain name should earn an email that came through their servers an additional 2.5 points IMO. It has been a thorn in my side since 3, maybe 4 years now. (Note, questionable custom rules like this get tested on my production servers with near-zero scores, then real scores, and /then/ they find their way to my sa-update channels.) -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them. https://www.nrahq.org/nrabonus/accept-membership.asp Yield to Temptation ... it may not pass your way again. -- Lazarus Long, Time Enough for Love
RE: Constant Contact
That domain name should earn an email that came through their servers an additional 2.5 points IMO. It has been a thorn in my side since 3, maybe 4 years now. snip -- Cheers, Gene Gene, and anyone else that cares to share please... what are you using for your various rules to up the score on Constant Contact emails so that nothing slips by??? if semi proprietary you cannot share on list, please ping me off... - rh
Re: Other DNSBL's
Warren Togami wrote: I'm looking to add other DNSBL's to tomorrow's weekly mass check. I realize most of them probably are too broken to bother, but it would be nice to get some real numbers to confirm it so since the Internet lacks any real DNSBL comparisons that include Ham FP safety. http://www.dnsbl.com/ has some test results which aren't bad, though his ham corpus does include some legitimate commercial email (which I know some folks on this list would claim could never, ever, ever, ever not be spam.) -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: Constant Contact
On Friday 16 October 2009, R-Elists wrote: That domain name should earn an email that came through their servers an additional 2.5 points IMO. It has been a thorn in my side since 3, maybe 4 years now. snip -- Cheers, Gene Gene, and anyone else that cares to share please... what are you using for your various rules to up the score on Constant Contact emails so that nothing slips by??? if semi proprietary you cannot share on list, please ping me off... - rh Nothing proprietary, or even SA related, just a recipe in my .procmailrc, so its handed to /dev/null before SA is even called. Which works for me cuz I am the only 'customer', and I don't have a thing I'm subscribed to that comes through that server. So I could care less if it goes to /dev/null. :) That of course is a 100% kill. Shrug. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them. https://www.nrahq.org/nrabonus/accept-membership.asp A small town that cannot support one lawyer can always support two.
Re: Constant Contact
I wrote: Before I write a custom rule to add points to anything passing through a constantcontact.com relay, I was wondering if anybody here had thoughts on this. R-Elists wrote: what are you using for your various rules to up the score on Constant Contact emails so that nothing slips by??? I lied. I actually wrote a rule and stuck it in my testing area. As always, don't forget to adjust the wrapping and lint your rules before going live. rawbody __CCM_UNSUB /https?:..visitor\.constantcontact.com\/[^]{60,200}SafeUnsubscribe/ meta KHOP_CONSTANTCONTACT __CCM_UNSUB RCVD_IN_HOSTKARMA_W describe KHOP_CONSTANTCONTACT Remove DNS WL blessing for spam relayer scoreKHOP_CONSTANTCONTACT 2.5 # combat dns whitelists All this does is un-do the negative points HOSTKARMA_W assigns (rather, the 2.1 points it assigns as implemented in my khop-bl channel ... ymmv). If you're not checking against a whitelist to undo it but rather trying to block outright, I'd use something more like this: header __CCM_RELAY X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=ccm\d\d\.constantcontact\.com\s/ rawbody __CCM_UNSUB /https?:..visitor\.constantcontact.com\/[^]{60,200}SafeUnsubscribe/ meta KHOP_CONSTANTCONTACT __CCM_UNSUB __CCM_RELAY describe KHOP_CONSTANTCONTACT Constant Contact is a known spammer scoreKHOP_CONSTANTCONTACT 4 # increase as needed
Re: Constant Contact
On 10/16/2009 01:14 PM, Chris Owen wrote: On Oct 16, 2009, at 12:09 PM, Rick Macdougall wrote: Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Hi, Very legitimate. We have 4 or 5 clients who use it to send out emails to their subscribers. How ever, it can and does get abused by spammers from time to time, but they usually cut them off after receiving complaints. That has not been my experience. The responses I get from spam complaints just say they've removed my address from that person's list. As the original poster said they don't allow you to opt out globally. Nor do they make it easy to file an abuse complaint in the first place. There links at the bottom of the email to do all sorts of things but not to report the message as spam. For reasons like this I will not manually unsubscribe spam from constantcontact.com or tell them what addresses were being sent. They deserve a hurt reputation if they have a poor anti-spam policy. Unsubscribing only the offending addresses only artificially hides the problem from the statistical analysis without solving it. Warren Togami wtog...@redhat.com
re-implement all RBLs in metas?
Rob McEwen wrote: Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Sometimes abused, but too legit to outright block based on sending IP, imo. So in Marc's HostKarma context, that probably means pushing them from white to NOBL or yellow. The biggest problem is that they're well seeded in the DNS whitelists, Many of those whitelists are better used as don't check the sending IP against RBLs, but do all other content spam filtering... and should not be used as a skip filtering and send to inbox. Complaints liks this keep coming up for various whitelists. The usage alternative I just suggested may solve this problem for many people. Without category-based checking or variables in SA, this is very hard. I'd love to be able to write a rule that says if it hits rbl A, undo all points assigned by all other rbls. The only way to do this (and I'm close to the motivation needed to implement this) would be to rewrite *all* RBL rules as metas. I made a (buried) proposal for this on 2009-10-11 at 5:19a UTC (see my second pet peeve at the bottom). Example: header RCVD_IN_A eval:check_rbl('A-lastexternal','a.example.com') score RCVD_IN_A 0.001 # adds to RCVD_IN_BL_HIGH below header RCVD_IN_B eval:check_rbl('B-lastexternal','b.example.net') score RCVD_IN_B 0.5# adds to RCVD_IN_BL_MED below header RCVD_IN_C eval:check_rbl('C-lastexternal','c.example.info') score RCVD_IN_C 0.001 # adds to RCVD_IN_BL_MED below header RCVD_IN_W eval:check_rbl('W-lastexternal','w.example.org') score RCVD_IN_W -0.001 # adds to RCVD_IN_WL_HIGH below header __RCVD_IN_Y eval:check_rbl('Y-lastexternal','y.example.org') meta __RCVD_IN_YELLOW __RCVD_IN_Y meta RCVD_IN_BL_HIGH RCVD_IN_A !__RCVD_IN_YELLOW describe RCVD_IN_BL_HIGH Received in highly trusted DNS BL scoreRCVD_IN_BL_HIGH 2 meta RCVD_IN_BL_MED (__RCVD_IN_B || __RCVD_IN_C) !__RCVD_IN_YELLOW describe RCVD_IN_BL_MED Received in moderately trusted DNS BL scoreRCVD_IN_BL_MED 1 meta RCVD_IN_WL_HIGH RCVD_IN_W !__RCVD_IN_YELLOW describe RCVD_IN_WL_HIGH Received in highly trusted DNS WL scoreRCVD_IN_WL_HIGH -4 Here you can see that A is a highly trusted DNSBL, B C are moderately trusted DNSBLs, W is a highly trusted DNSWL, and Y is a listing of things that should avoid other DNS RBL lookups. These are grouped (even when not necessary) to highlight the expandability of the system. Individual rules should be scored at 0.001 or -0.001 unless they need more weight than the others in its group, which is why RCVD_IN_B has a slightly higher score. These weights should be small and used sparingly, as they side-step things like Y. (Yes, the example is missing tflags and some descriptions. It's an example.)
Re: Constant Contact
On Friday, October 16, 2009, 11:49:43 AM, Adam Katz wrote: AK After some web searches, I decided to use the unsubscribe feature, but AK apparently I needed to unsubscribe every email address with every AK company that uses constantcontact.com. To me, this means it is quite AK clear that Constant Contact's anti-spam policy is improperly enforced AK at best and flagrantly ignored at worst. FWIW - I have had two experiences with CC customers apparently not playing by the rules. One was a new hotel/conference center that was just built earlier this year. At that time, they helped themselves to the email addresses in the Chamber of Commerce directory and commenced mailing through CC. I complained, and was informed that they were suspended for the ToS violation, and I received no further mail from them. More recently, a political candidate for Governor (who I supported for Lt. Gov. last go around and may very well support for Gov. - BUT I'm reasonably sure I did not sign up on her mailing list) started mailing me - and there's been a lot of e-pending of voter registration lists going on. I was informed that they told CC that all of their lists are legit sign-ups from their web site. Even though I told CC that I'm not 100% sure I didn't sign up (but 95% sure) they are suspended pending further investigation. So in sum, they seem to be very sensitive to abusers causing problems for them (as well as their legitimate users.) I grepped my mail logs and found that my wife and I are among many other users on my system that receive legitimate, desired mail that is delivered through CC. -- Best regards, Robert Braver rbra...@ohww.norman.ok.us
Re: Constant Contact
Warren Togami wrote: For reasons like this I will not manually unsubscribe spam from constantcontact.com or tell them what addresses were being sent. They deserve a hurt reputation if they have a poor anti-spam policy. Unsubscribing only the offending addresses only artificially hides the problem from the statistical analysis without solving it. I was in the same boat until I realized just how much spam was coming from them. They keep sending despite the fact that I train their mail as spam (which includes BAYES_99 and an AWL swing of ~30 points), which means subsequent mail from them gets rejected at SMTP time (read: bounced). They disregard this, failing to clean up their lists --which is odd because I thought mass-emailing software was supposed to interpret consecutive bounces as unsubscribe requests-- and failing to force their customers to maintain their own lists (let alone shut down a customer for a grossly unmaintained list), and then I get mail from them again once the AWL swing has been worn down by HostKarma W et al. This presents itself with a three-piece solution: 1. Continue to report their spam (SpamCop, KnuJon, Pyzor, Razor, ...) 2. Write a rule to prevent DNS whitelisting (see my other email) 3. Utilize their SafeUnsubscribe anyway. I hate it when practicality trumps ideology.
Re: Constant Contact
On Fri, Oct 16, 2009 at 12:49 PM, Adam Katz antis...@khopis.com wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Hello, I work for Constant Contact. We take reports of spam very seriously. Complaints are processed through our abuse@ address but you won't ever hear what happened to it there other than an auto-ack. If you'd like to send me any complaints I can let you know what became of them. We have a very large compliance and list review group who investigates the complaints and speaks with customers about where their lists came from etc.. Of course we do a lot of preprocessing of their lists when they upload them so we can detect bad senders before they even mail. Obviously some gets through (or we wouldn't be having this conversation) and for that we rely on complaints/bounce rates/unsubscribe rates to point us to the problems. feel free to reply to me offlist if you want further info. Tara Natanson
Re: Constant Contact
On Fri, Oct 16, 2009 at 11:07, R-Elists list...@abbacomm.net wrote: So, even though I cringe when I hear a name like Constant Contact, it does serve a legitimate business need. says who? Me. I work for one of their clients (a University). One or two of our divisions use them for large mailings to our internal users.
Re: Other DNSBL's
Henrik K schrieb: IMO a centralized rsync datasource for all the mass checked BLs would be nice. Wonder if someone had the connections to pull it off? It would save resources from all and speed up the checks. Spamhaus etc would only need to donate the data once a week. We don't see any particular impact from SA masschecks in the dnswl.org logs. FWIW, dnswl.org data is available via rsync for free to all interested parties in a number of formats. -- Matthias
Re: Constant Contact
Rob McEwen schrieb: Just what I said. If an IP whitelist cause too many spams to get a free pass, then instead of using that whitelist as a free pass to the inbox... instead... use it to bypass all checking of the sender IPs against blacklists, but still do content spam filtering on the message. That's the recommended usage for dnswl.org data since it's beginning: skip grey/blacklisting for all trust levels, but only bypass spamfilter for medium/high trust levels (and never bypass virus filtering, if you have Windows users). -- Matthias
Re: Constant Contact
On Fri, 16 Oct 2009, Tara Natanson wrote: Hello, I work for Constant Contact. We take reports of spam very seriously. Complaints are processed through our abuse@ address but you won't ever hear what happened to it there other than an auto-ack. If you'd like to send me any complaints I can let you know what became of them. We have a very large compliance and list review group who investigates the complaints and speaks with customers about where their lists came from etc.. Of course we do a lot of preprocessing of their lists when they upload them so we can detect bad senders before they even mail. Obviously some gets through (or we wouldn't be having this conversation) and for that we rely on complaints/bounce rates/unsubscribe rates to point us to the problems. Tara: May I suggest a feature for your website: a way for someone to find out exactly which of the mailing lists you process contain a given email address, and a way to unsubscribe or report abuse in bulk (e.g. in a grid)? In other words, a way to visit your website and see _all_ of the lists sending to my email address. I suggest you do _not_ use passwords or force registration for someone to access this. You could append a URI with a unique-to-the-recipient ID code to every mail sent (similar to unsubscribe or report abuse links), and that link would bring up the review page on your website for the recipient's email address. You could also have a spot on your website to enter an email address and have such a link sent to that email address, so that if I wanted to review I wouldn't have to have an email from one of your clients handy. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Taking my gun away because I *might* shoot someone is like cutting my tongue out because I *might* yell Fire! in a crowded theater. -- Peter Venetoklis --- 15 days since a sunspot last seen - EPA blames CO2 emissions
Re: Constant Contact
On Fri, 16 Oct 2009, John Rudd wrote: Me. I work for one of their clients (a University). One or two of our divisions use them for large mailings to our internal users. How is Constant Contact better than (say) GNU mailman for that purpose? I don't understand the concept of sending internal mail via an external third party... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Taking my gun away because I *might* shoot someone is like cutting my tongue out because I *might* yell Fire! in a crowded theater. -- Peter Venetoklis --- 15 days since a sunspot last seen - EPA blames CO2 emissions
Re: Constant Contact
On 10/16/2009 10:25 PM, Adam Katz wrote: I suppose it's possible that your customer base is large enough that there aren't any repeat offenders and that each case is unique ... digging through my archives, I don't see more than 2x of any message from a CC customer. look at this way, some snowshoe IP, CC snowshoes customers
Re: Constant Contact
On Fri, 2009-10-16 at 14:54 -0400, Adam Katz wrote: Before I write a custom rule to add points to anything passing through a constantcontact.com relay, I was wondering if anybody here had thoughts on this. I lied. I actually wrote a rule and stuck it in my testing area. As always, don't forget to adjust the wrapping and lint your rules before going live. rawbody __CCM_UNSUB /https?:..visitor\.constantcontact.com\/[^]{60,200}SafeUnsubscribe/ Ouch! Rawbody, that hurts. If you really can't tell from the / a link URI alone, you'd better have a look at the URIDetail plugin instead. The anchor text of an HTML link is part of the internal URI data structure. meta KHOP_CONSTANTCONTACT __CCM_UNSUB RCVD_IN_HOSTKARMA_W describe KHOP_CONSTANTCONTACT Remove DNS WL blessing for spam relayer Inappropriate description. Inappropriate logic. IFF the terminology used would be appropriate, you rather should take the then-false listing up with the whitelist. If you're not checking against a whitelist to undo it but rather trying to block outright, I'd use something more like this: header __CCM_RELAY X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=ccm\d\d\.constantcontact\.com\s/ meta KHOP_CONSTANTCONTACT __CCM_UNSUB __CCM_RELAY describe KHOP_CONSTANTCONTACT Constant Contact is a known spammer scoreKHOP_CONSTANTCONTACT 4 # increase as needed Wholly inappropriate, IMHO. Seriously. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant Contact
On Fri, Oct 16, 2009 at 13:29, John Hardin jhar...@impsec.org wrote: On Fri, 16 Oct 2009, John Rudd wrote: Me. I work for one of their clients (a University). One or two of our divisions use them for large mailings to our internal users. How is Constant Contact better than (say) GNU mailman for that purpose? I don't understand the concept of sending internal mail via an external third party... Don't ask me. I didn't recommend that they go down that path. I'm merely vouching that there are legitimate business users of the service. However, probably one of the reasons that they would give is: as clients of Contant Contact, they don't have to directly maintain mailman, an MTA, a server, and manage the capacity, maintenance, and bandwidth of all of that. Add in the cost of a sysadmin, and they probably think it's cheaper to go to Constant Contact than to pay for all of that (or to pay the Central IT Service (me) to do it for them ... though, in at least one case, I think they weren't aware of the options the central IT service could offer them ... that, or they were afraid we'd make them behave responsibly, and may not feel that they have to worry about that if they outsource, instead). Essentially, though, your question is the same as why use Gmail/Yahoo/Hotmail instead of (any of the many free POP/IMAP/Webmail software) that you can run yourself? The answer, in both cases, is: outsourcing has a value, and this is one of the places where that's true for some people.
Re: Constant Contact
Karsten Bräckelmann wrote: On Fri, 2009-10-16 at 14:54 -0400, Adam Katz wrote: rawbody __CCM_UNSUB /https?:..visitor\.constantcontact.com\/[^]{60,200}SafeUnsubscribe/ Ouch! Rawbody, that hurts. If you really can't tell from the / a link URI alone, you'd better have a look at the URIDetail plugin instead. The anchor text of an HTML link is part of the internal URI data structure. Interesting. I didn't know about that. ifplugin Mail::SpamAssassin::Plugin::URIDetail uri_detail __CCM_UNSUB domain =~ /\bvisitor\.constantcontact.com$/ raw =~ /\?.{40}/ text =~ /^SafeUnsubscribe$/ else rawbody __CCM_UNSUB /https?:..visitor\.constantcontact.com\/[^]{60,200}SafeUnsubscribe/ endif meta KHOP_CONSTANTCONTACT __CCM_UNSUB RCVD_IN_HOSTKARMA_W describe KHOP_CONSTANTCONTACT Remove DNS WL blessing for spam relayer Inappropriate description. Inappropriate logic. IFF the terminology used would be appropriate, you rather should take the then-false listing up with the whitelist. Already did. I've requested the Constant Contact IPs find their way to HostKarma's Yellow or NOBL lists and out of the White list. If you're not checking against a whitelist to undo it but rather trying to block outright, I'd use something more like this: header __CCM_RELAY X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=ccm\d\d\.constantcontact\.com\s/ meta KHOP_CONSTANTCONTACT __CCM_UNSUB __CCM_RELAY describe KHOP_CONSTANTCONTACT Constant Contact is a known spammer scoreKHOP_CONSTANTCONTACT 4 # increase as needed Wholly inappropriate, IMHO. Seriously. Given ConstantContact's size, yes. However, it should safely discriminate against CC's bulk mail without catching anything else by accident, which is what R-Elists requested. Note my starting value of 4 so that nobody takes this too far out of context and into trouble.
Re: Constant Contact
On Fri, 2009-10-16 at 17:17 -0400, Adam Katz wrote: Karsten Bräckelmann wrote: On Fri, 2009-10-16 at 14:54 -0400, Adam Katz wrote: Inappropriate description. Inappropriate logic. IFF the terminology used would be appropriate, you rather should take the then-false listing up with the whitelist. Already did. I've requested the Constant Contact IPs find their way to HostKarma's Yellow or NOBL lists and out of the White list. Do note that Hostkarma WHITE is not part of the stock rule-set. Moreover, it is *your* score of a whopping -2.1 for the third-party DNS BL test you're complaining about, that results in FNs. Last I checked (which is a while ago, granted), I wouldn't score it that low, not even close. Your score, your trust. If you find yourself in the need to work around your own trust measures, maybe the underlying issue is deeper than a good game of whack-a-mole. And if the WHITE listing is going to be corrected in a timely manner, the rules are obsolete -- yet here to stay along with the hate-laden descriptions, waiting in archives for click- happy monkeys to copy-n-paste without even thinking. meta KHOP_CONSTANTCONTACT __CCM_UNSUB __CCM_RELAY describe KHOP_CONSTANTCONTACT Constant Contact is a known spammer scoreKHOP_CONSTANTCONTACT 4 # increase as needed Wholly inappropriate, IMHO. Seriously. Given ConstantContact's size, yes. However, it should safely discriminate against CC's bulk mail without catching anything else by accident, which is what R-Elists requested. Note my starting value of 4 so that nobody takes this too far out of context and into trouble. I have read quite a few comments by legitimate receivers in this thread. Makes a score of 4 feel over-board to say the least, requested by $nick or not. Also note, that my previous assessment is not limited to the score. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant Contact
Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? In preparing a list of HOSTKARMA_W violators for Marc, I noticed a very large amount of spam, coming from completely different companies, was sent through constantcontact.com servers using their Safe Unsubscribe feature. After some web searches, I decided to use the unsubscribe feature, but apparently I needed to unsubscribe every email address with every company that uses constantcontact.com. To me, this means it is quite clear that Constant Contact's anti-spam policy is improperly enforced at best and flagrantly ignored at worst. The biggest problem is that they're well seeded in the DNS whitelists, including HostKarma and IADB, and they often use SPF, which gets the OK from my double-check in khop-bl. Before I write a custom rule to add points to anything passing through a constantcontact.com relay, I was wondering if anybody here had thoughts on this. (Note, questionable custom rules like this get tested on my production servers with near-zero scores, then real scores, and /then/ they find their way to my sa-update channels.) I wouldn't say they are perfect but they try to be. It's close enough for my white list. They shut down abusers and the opt out works.
Re: Constant Contact
One factor in scoring white list like mine is that different people have different definitions as to what is spam. And people have different values as to blocking spam at the expense of blocking good email. In my business if I block a good email it's worse than 100 spams getting through. I am possibly too generous on white listing but that's what my customers want.
Re: Constant Contact
Hi, How is Constant Contact better than (say) GNU mailman for that purpose? I don't understand the concept of sending internal mail via an external third party... In addition to what's already been mentioned, CC also provides a nice template that people can drop their message into and click Send. This is very appealing to the local bagel shop or restaurant that wants to advertise their specials to their favorite customers without even having an Internet connection of their own. I don't doubt that if you solicited to these types of businesses with your mailman product and the ability to add their logo to the top of an HTML email, they'd choose your service just the same. Best, Alex
Re: Constant Contact
Tara Natanson wrote: On Fri, Oct 16, 2009 at 12:49 PM, Adam Katz antis...@khopis.com wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Hello, I work for Constant Contact. We take reports of spam very seriously. Complaints are processed through our abuse@ address but you won't ever hear what happened to it there other than an auto-ack. If you'd like to send me any complaints I can let you know what became of them. We have a very large compliance and list review group who investigates the complaints and speaks with customers about where their lists came from etc.. Of course we do a lot of preprocessing of their lists when they upload them so we can detect bad senders before they even mail. Obviously some gets through (or we wouldn't be having this conversation) and for that we rely on complaints/bounce rates/unsubscribe rates to point us to the problems. feel free to reply to me offlist if you want further info. Tara Natanson Yep - and that's why I white list them.
Re: Constant Contact
On Fri, 2009-10-16 at 15:09 -0700, Marc Perkel wrote: I wouldn't say they are perfect but they try to be. It's close enough for my white list. They shut down abusers and the opt out works. ^ This implies there is, in fact, abuse. Thus, they are not trusted nonspam only, which is your definition of WHITE. Some more of your own definition and classification. whilelist - trusted nonspam yellowlist - mix of spam and nonspam NOBL - This IP is not a spam only source and no blacklists need to be tested Even if one does not equalize has abusers and sends occasional spam, NOBL seems a more appropriate listing to me. Note this is about ccmNN.constantcontact.com, not confirmedcc.com. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant Contact
On Fri, 2009-10-16 at 16:25 -0400, Adam Katz wrote: My own proposal to fixing this is to bring back Blue Security's do-not-email list, which is to say a freely available index of secure hashes representing email addresses that have opted out of bulk email. (Recall that the controversial aspect of Blue Security's methods is what they did to violators, which I'm not touching here.) The other problem with it is that it can be used to scrub lists and get a set of real users who don't want spam. There is no guarantee that spammers will be ethical and remove the DNE recipients - they may find a better return throwing out the addresses that don't match... And then there are hash collisions...
KHOP_NO_FULL_NAME
I have not yet analysed what whitehats cause this, but this rule seems suspipicious to me at moment. At the bright side: HOSTKARMA is a pleasant thing to have, now that my config is fixed with the community aid. Email: 1280 Autolearn: 765 AvgScore: 13.53 AvgScanTime: 11.23 sec Spam: 632 Autolearn: 540 AvgScore: 34.39 AvgScanTime: 9.21 sec Ham:648 Autolearn: 225 AvgScore: -6.82 AvgScanTime: 13.19 sec Time Spent Running SA: 3.99 hours Time Spent Processing Spam:1.62 hours Time Spent Processing Ham: 2.37 hours TOP SPAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1BAYES_99 61447.97 97.150.00 2DCC_CHECK 60160.86 95.09 27.47 3RAZOR2_CHECK 57645.00 91.140.00 4RCVD_IN_BRBL_LASTEXT 57545.08 90.980.31 5RAZOR2_CF_RANGE_51_10057344.77 90.660.00 6HTML_MESSAGE 57050.39 90.19 11.57 7BOTNET56644.22 89.560.00 8DIGEST_MULTIPLE 55943.67 88.450.00 9URIBL_BLACK 55143.05 87.180.00 10RAZOR2_CF_RANGE_E8_51_100 54142.27 85.600.00 11RCVD_IN_HOSTKARMA_BL 53942.11 85.280.00 12URIBL_SBL 50939.77 80.540.00 13URIBL_JP_SURBL50239.22 79.430.00 14RCVD_IN_XBL 49138.36 77.690.00 15URIBL_WS_SURBL42633.28 67.410.00 16RCVD_IN_BL_SPAMCOP_NET42533.20 67.250.00 17RCVD_IN_SEMBLACK 41832.66 66.140.00 18RCVD_IN_PSBL 40831.87 64.560.00 19KHOP_DNSBL_ADJ40531.64 64.080.00 20URIBL_AB_SURBL37429.22 59.180.00 -- TOP HAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1BAYES_00 54342.500.16 83.80 2RCVD_IN_HOSTKARMA_W 51140.000.16 78.86 3AWL 49844.06 10.44 76.85 4KHOP_RCVD_UNTRUST 42032.890.16 64.81 5KHOP_HELO_FCRDNS 31232.97 17.41 48.15 6KHOP_NO_FULL_NAME 19519.308.23 30.09 7RCVD_IN_HOSTKARMA_WL 18214.300.16 28.09 8DCC_CHECK 17860.86 95.09 27.47 9RCVD_IN_DNSWL_LOW 17113.440.16 26.39 10RCVD_IN_DNSWL_MED 17013.280.00 26.23 11SPF_HELO_PASS 16012.500.00 24.69 12RCVD_IN_DNSWL_HI 15912.420.00 24.54 13DKIM_SIGNED 114 8.980.16 17.59 14RCVD_IN_BSP_OTHER 78 6.090.00 12.04 15HTML_MESSAGE 7550.39 90.19 11.57 16KHOP_RCVD_TRUST49 3.830.007.56 17DKIM_VERIFIED 42 3.280.006.48 18KHOP_2IPS_RCVD 32 3.441.904.94 19MIME_QP_LONG_LINE 27 2.891.584.17 20KHOP_PGP_SIGNED22 1.720.003.40 -- -- http://www.iki.fi/jarif/ Ships are safe in harbor, but they were never meant to stay there. pgpUIBNqIvkoS.pgp Description: PGP signature
Re: KHOP_NO_FULL_NAME
17.10.2009 3:12, Jari Fredriksson kirjoitti: I have not yet analysed what whitehats cause this, but this rule seems suspipicious to me at moment. Now I have. Legitimate bulk mailers. From: NYTimes.com nytdir...@nytimes.com From: Iltalehti.fi iltalehti-288-d690018e-1000350...@sp.iltalehti.fi Newspapers. And others. Guestionable rule. -- http://www.iki.fi/jarif/ You look tired. pgpv9pUfuMiCG.pgp Description: PGP signature
Re: Constant Contact
Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? In preparing a list of HOSTKARMA_W violators for Marc, I noticed a very large amount of spam, coming from completely different companies, was sent through constantcontact.com servers using their Safe Unsubscribe feature. After some web searches, I decided to use the unsubscribe feature, but apparently I needed to unsubscribe every email address with every company that uses constantcontact.com. To me, this means it is quite clear that Constant Contact's anti-spam policy is improperly enforced at best and flagrantly ignored at worst. The biggest problem is that they're well seeded in the DNS whitelists, including HostKarma and IADB, and they often use SPF, which gets the OK from my double-check in khop-bl. Before I write a custom rule to add points to anything passing through a constantcontact.com relay, I was wondering if anybody here had thoughts on this. (Note, questionable custom rules like this get tested on my production servers with near-zero scores, then real scores, and /then/ they find their way to my sa-update channels.) They're cluefull; they monitor SPAM-L; they use one of my email addresses as a spamtrap. We don't use them, but they're still aware enough to email us and ask if something looks dodgy. Good folks, IMHO. -- -- tim -- Tim Boyer Chief Technical Officer Denman Tire Corporation