Re: linkedin invitation spam
Martin Gregorie wrote: I don't remotely intend to go vigilante: I don't know how you got that from what I said, which I thought boiled down to: a) If an acquaintance asks you become a member that is not a problem. In fact, acquaintance or otherwise, that is the whole idea :-) b) If a social site uses member address lists to send invitations to join without consulting the list owner then that is disreputable behaviour and the resulting invitations are UCE at best. +1. Although I doubt that any reputable social networking site will do that for very long. FWIW I'm far more annoyed by UCE agencies who either don't have an 'un-subscribe' capability or, much worse, who include the line You're receiving this because you subscribed you can un-subscribe by visiting URL and whose URL goes through the motions but doesn't actually unsubscribe you. +1. /Per Jessen, Zürich
Re: Two newish RBLs; NXDOMAIN question
On Tue, 14 Dec 2010 08:50:17 +0200 Oguz Yilmaz oguzyilmazl...@gmail.com wrote: On Mon, Dec 13, 2010 at 7:21 PM, Len Conrad lcon...@go2france.com wrote: Are you sure? At the moment I can not resolv the name truncate.gbudb.net. that's correct, and OK. and you can't resolve zen.spamhaus.org, either. :) Does it mean they are closed? It means that there is no reason for either to have an A-record.
DNSBL for email addresses?
Are there any DNSBLs out there based on email addresses? Since you can't use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is there a standard? -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: DNSBL for email addresses?
On 2010-12-14 15:28, Marc Perkel wrote: Are there any DNSBLs out there based on email addresses? nope Is there a standard? nope
Re: DNSBL for email addresses?
On 12/14/10 8:28 AM, Marc Perkel supp...@junkemailfilter.com wrote: Are there any DNSBLs out there based on email addresses? No. There was an experimental list for a while. Since you can't use an @ in a DNS lookup - how would you do DNSBL on email addresses? # This plugin creates rbl style DNS lookups for email addresses. # There isn't any official emailbl standard yet(?) so we: # # 1) make md5hash of lowercased email address (no other normalizations) # 2) lookup hexmd5hash.zone.example.com. Is there a standard? Nope, but it works. I use it locally with the emailBL.pm plugin. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Two newish RBLs; NXDOMAIN question
On tir 14 dec 2010 07:50:17 CET, Oguz Yilmaz wrote and you can't resolve zen.spamhaus.org, either. :) Does it mean they are closed? rndc querylog spamassassin -t spammsg rndc querylog see log above works when running bin9 -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: DNSBL for email addresses?
On tir 14 dec 2010 15:28:54 CET, Marc Perkel wrote Are there any DNSBLs out there based on email addresses? Since you can't use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is there a standard? no std, but there was a test with emailbl, google it -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Comment - GFI/SORBS
Hi All, Is sorbs going to be continued as a scoring option in SA? Having hit yet more problems with them I've zeroed their scoring. I found this a couple of days ago, maybe it can add weight. http://blog.wordtothewise.com/2010/12/gfi-sorbs-considered-harmful/ Best to all Nigel
Re: Comment - GFI/SORBS
On Tue, 2010-12-14 at 16:58 +, Nigel Frankcom wrote: Hi All, Is sorbs going to be continued as a scoring option in SA? Having hit yet more problems with them I've zeroed their scoring. ... I hope so. I find SORBS wonderful in dealing with those troublesome mailers that have managed to by passage from the likes of $pamhau$$ and Barracuda myself. That said, I'd like to see the total removal of rules that favour that haven of transactional spammers - Return Path.
Re: blacklist.mailrelay.att.net
On 12/13/10 2:14 AM, Giampaolo Tomassoni wrote: Le 12/12/2010 19:23, Giampaolo Tomassoni a écrit : How does it work? I just got blocked by the ATT's blacklist (in contacting ab...@att.com, besides...), but I'm pretty sure my MX is not an open relay or other kind of nifty thing. Maybe ATT blocks whole address bunches from which some hosts are spamming? Because this could explain me why: my MX is co-located... $ host tomassoni.biz tomassoni.biz has address 62.149.201.242 tomassoni.biz has address 62.149.220.102 tomassoni.biz mail is handled by 10 c0.edlui.it. $ host c0.edlui.it c0.edlui.it has address 62.149.220.102 c0.edlui.it has address 62.149.201.242 $ host 62.149.201.242 242.201.149.62.in-addr.arpa domain name pointer host242-201-149-62.serverdedicati.aruba.it. $ host 62.149.220.102 102.220.149.62.in-addr.arpa domain name pointer host102-220-149-62.serverdedicati.aruba.it. So both IPs use generic hostnames, which are a sign of half configured servers. Unfortunately the RDNS is not under my control. Which is a fact I share with a lot of people worldwide... think as the receiving side. when I see spam out of joe.spam.example, I blocklist spam.example (and possibly every IP and domain related to them). If I see spam coming from host1-2-364.serverdedicati.aruba.it, what will I blacklist? I personally (and many serious blocklists) would block the single spamming address. You may easily see that Aruba.it is a co-location provider, so you may easily understand that different hosts from the same address bunch are probably handled by different organizations, with different means and purposes. To me, it is counter-productive to block the whole bunch. Giampaolo I would strongly encourage your ISP to clean up their act by adding an excursion detection system, that watches for bursty outbound traffic patterns, like a sudden spike in outbound SMTP or HTTP connections to a wide spread of addresses. -Philip
Re: Two newish RBLs; NXDOMAIN question
Thanks, a basic tcpdump revealed the method of query and response. -- Oguz YILMAZ On Tue, Dec 14, 2010 at 6:47 PM, Benny Pedersen m...@junc.org wrote: On tir 14 dec 2010 07:50:17 CET, Oguz Yilmaz wrote and you can't resolve zen.spamhaus.org, either. :) Does it mean they are closed? rndc querylog spamassassin -t spammsg rndc querylog see log above works when running bin9 -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
perl-Net-Patricia-1.19 is out
It's been released for F13 and F14. And of course, it's upstream on CPAN. It's the promotion of the development version 1.18_81 to production.
Re: Two newish RBLs; NXDOMAIN question
On tir 14 dec 2010 18:55:12 CET, Oguz Yilmaz wrote Thanks, a basic tcpdump revealed the method of query and response. i like comal more then basic, but glad to be of help -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: blacklist.mailrelay.att.net
I would strongly encourage your ISP to clean up their act by adding an excursion detection system, that watches for bursty outbound traffic patterns, like a sudden spike in outbound SMTP or HTTP connections to a wide spread of addresses. Is Aruba.it so poorly reputed? g -Philip
Re: linkedin invitation spam
Le 13/12/2010 23:45, Martin Gregorie a écrit : On Mon, 2010-12-13 at 22:19 +0100, mouss wrote: Le 13/12/2010 10:38, Martin Gregorie a écrit : As others have said, it depends who sent it and why. Invitations sent specifically by people who know you aren't spam, but I've heard it said several times that Facebook auto-generates invitations from contact lists uploaded by new members and in my book that's definitely spam. no, that's not spam. that's stupid friends behaviour. If you're certain that's the case I agree that its not really spam. if you define spam in a too large way, you will lose some of us. feel free to go the vigilante way. I don't remotely intend to go vigilante: I don't know how you got that from what I said, which I thought boiled down to: sorry, I didn't mean you are a vigilante. I just wanted to warn about going there. nothing about _you_. a) If an acquaintance asks you become a member that is not a problem. b) If a social site uses member address lists to send invitations to join without consulting the list owner then that is disreputable behaviour and the resulting invitations are UCE at best. fuly agreed. but that's how thing are going today. so I'll start by the beginning: a stupid user gave them his addr book. I mean - the guy who gave them his addr book is a stupid guy - they should never ask for that so both are guilty. c) If there's a way to distinguish (a) and (b) then it would be possible to treat (b) as UCE. no. I think it's a different beast. there is no point to try to match how some people have tried to define spam. we all know what spam is. those ube, uce, blahblah-e are unhelpful. you know what spam is. I know what spam is. there is no need to define it with 3 letters. I'm not doing anything about these invitations at present apart from hitting Delete, same here. I checked linkedin mail and I found 2 messages that may be spam. that's 2 in many years. there are things I don't like in linkedin practice, but realy, I don't get nough spam from them to consider that there is a problem. I get a lot more junk from yahoo... but if there was a distinguishing rule and I saw these invitations significantly more often than once or twice a year then I might well want to treat them like any other form of UCE. I'm not an ISP and don't run mailing lists, so I'm in the fortunate position of being able to deep-six UCE. If I want to buy something I'll research it with a search engine, by talking to friends, etc. but I DO NOT want to be bombarded with UCE just because I happen to have bought a similar item in the past. please don't minsuderstand me. if you get a lot of spam from linkedin, I would like to hear about it. I don't work for linkedin and I don't care for their business, blah blah. I simply care for mail service. if you convince me that linkedin are spammers, I'll have something to say about blocking their mail. but for that, I want evidence. not just a vigilante report with no evidence. up so far, the only thing I've seen is a message forwarded by a debian list. I myself am a member of many debian lists. I do get a lot of junk in these lists, and that spam annoys me, but really, I consider that to be the price for having open lists, and I like that. FWIW I'm far more annoyed by UCE agencies who either don't have an 'un-subscribe' capability or, much worse, who include the line You're receiving this because you subscribed you can un-subscribe by visitingURL and whose URL goes through the motions but doesn't actually unsubscribe you. I'm more annoyed by junk sent to _other_ people. I mean normal people. I can handle the junk I get (after postfix + spamassassin checks, I get about 1 or 2 spams a month). but users of the service get more spam than myself...
Loading receiver within my spamassassin plugin.
I wrote a plugin that tries to do some operation on the receiver mail
address before the message is delivered.
How can i retrieve such address?
$mailTo = $pms-get('EnvelopeTo:addr');
dbg(EvelopeTo-Addr read from mail $mailTo);
and i have this output on the log:
Tue Dec 14 22:45:54 2010 [2807] dbg: generic: EvelopeTo-Addr read from mail
with no address. How can i get it?
Thanks in advance!
--
-Massimiliano Giovine
Aksel Peter Jørgensen dice: Why make things difficult, when it is
possible to make them cryptic and totally illogic, with just a little
bit more effort?
Blog: http://opentalking.blogspot.com
Linus Torvalds doesn't die, he simply returns zero.
Re: Loading receiver within my spamassassin plugin.
On Tue, 2010-12-14 at 22:51 +0100, Massimiliano Giovine wrote:
I wrote a plugin that tries to do some operation on the receiver mail
address before the message is delivered.
Operation? You're not trying to change it, are you?
How can i retrieve such address?
$mailTo = $pms-get('EnvelopeTo:addr');
dbg(EvelopeTo-Addr read from mail $mailTo);
Does that EnvelopeTo header exist?
I guess the actual header, if any, depends on your MTA and glue. The
whitelist_to option in the Conf documentation has a list with likely
candidates.
and i have this output on the log:
Tue Dec 14 22:45:54 2010 [2807] dbg: generic: EvelopeTo-Addr read from mail
with no address. How can i get it?
Thanks in advance!
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Loading receiver within my spamassassin plugin.
# I guess the actual header, if any, depends on your MTA and glue. The
# whitelist_to option in the Conf documentation has a list with likely
# candidates.
I use Postfix. What Conf do you talk about?
I have to compare it with a list in a database and with a custom
header but this is not important.
2010/12/14 Karsten Bräckelmann guent...@rudersport.de:
On Tue, 2010-12-14 at 22:51 +0100, Massimiliano Giovine wrote:
I wrote a plugin that tries to do some operation on the receiver mail
address before the message is delivered.
Operation? You're not trying to change it, are you?
How can i retrieve such address?
$mailTo = $pms-get('EnvelopeTo:addr');
dbg(EvelopeTo-Addr read from mail $mailTo);
Does that EnvelopeTo header exist?
I guess the actual header, if any, depends on your MTA and glue. The
whitelist_to option in the Conf documentation has a list with likely
candidates.
and i have this output on the log:
Tue Dec 14 22:45:54 2010 [2807] dbg: generic: EvelopeTo-Addr read from mail
with no address. How can i get it?
Thanks in advance!
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
--
-Massimiliano Giovine
Aksel Peter Jørgensen dice: Why make things difficult, when it is
possible to make them cryptic and totally illogic, with just a little
bit more effort?
Blog: http://opentalking.blogspot.com
Linus Torvalds doesn't die, he simply returns zero.
Re: Loading receiver within my spamassassin plugin.
Fixicated the copy-n-paste blob to reply...
On Tue, 2010-12-14 at 23:08 +0100, Massimiliano Giovine wrote:
2010/12/14 Karsten Bräckelmann guent...@rudersport.de:
How can i retrieve such address?
$mailTo = $pms-get('EnvelopeTo:addr');
dbg(EvelopeTo-Addr read from mail $mailTo);
Does that EnvelopeTo header exist?
I guess the actual header, if any, depends on your MTA and glue. The
whitelist_to option in the Conf documentation has a list with likely
candidates.
I use Postfix. What Conf do you talk about?
Conf documentation. The SA Conf documentation.
http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html
Also available on your system as 'man Mail::SpamAssassin::Conf'.
I have to compare it with a list in a database and with a custom
header but this is not important.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: DNSBL for email addresses?
On Tue, Dec 14, 2010 at 6:28 AM, Marc Perkel supp...@junkemailfilter.com wrote: Are there any DNSBLs out there based on email addresses? Since you can't use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is there a standard? -- Marc Perkel - Sales/Support While not an actual DNSBL, and only loosely related... I have been reading about: http://code.google.com/p/anti-phishing-email-reply/ Dave
Re: DNSBL for email addresses?
On 12/14/2010 2:38 PM, Big Wave Dave wrote: On Tue, Dec 14, 2010 at 6:28 AM, Marc Perkel supp...@junkemailfilter.com wrote: Are there any DNSBLs out there based on email addresses? Since you can't use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is there a standard? -- Marc Perkel - Sales/Support While not an actual DNSBL, and only loosely related... I have been reading about: http://code.google.com/p/anti-phishing-email-reply/ Dave Thanks - looks useful. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: DNSBL for email addresses?
On 14/12/10 14:28, Marc Perkel wrote: Are there any DNSBLs out there based on email addresses? Since you can't use an @ in a DNS lookup Actually, you can use '@' in a lookup. You just can't use it in a hostname. Or you could convert the '@' to a '.' as is the format still used in SOA records. But both of these would have privacy issues: say you've received an email via TLS, your anti-spam system suspects it might be a 419, so you look up a Reply-To address or body email address, and you send a query to the RBL via DNS. But it turns out the message was private ham, and you've lost the protection of TLS. So a hash is best, and I'd suggest SHA1 over MD5. And I do think the idea is worth trying; although freemail identities are cheap, there is still some time and effort and risk of detection involved in creating and checking them. CK
Re: DNSBL for email addresses?
On Tue, 14 Dec 2010, Cedric Knight wrote: So a hash is best, Agreed. and I'd suggest SHA1 over MD5. Just out of curiosity, why? An MD5 hash is shorter than an SHA hash (an important consideration when you're making lots of DNS queries of the hash), MD5 is computationally lighter than SHA, and MD5 is robust enough for this purpose, even though artificial collision scenarios exist. Granted I wouldn't sign a legal document with it any more, but for a private perfect hash of an email address, why not? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- Tomorrow: Bill of Rights day
Re: DNSBL for email addresses?
On Tue, 14 Dec 2010 15:52:28 -0800 (PST) John Hardin jhar...@impsec.org wrote: On Tue, 14 Dec 2010, Cedric Knight wrote: So a hash is best, Agreed. and I'd suggest SHA1 over MD5. Just out of curiosity, why? An MD5 hash is shorter than an SHA hash (an important consideration when you're making lots of DNS queries of the hash), MD5 is computationally lighter than SHA, and MD5 is robust enough for this purpose, even though artificial collision scenarios exist. Granted I wouldn't sign a legal document with it any more, but for a private perfect hash of an email address, why not? I don't see that there's all that much added security anyway. I don't think spammers are likely to intercept dns as a way of harvesting addresses. As far as general privacy is concerned, without a shared-secret anyone can generate the hash and look for known addresses. And if you don't add salt to the hash, it's going to be fairly easy to perform an efficient dictionary attack, in which case the choice of hash function makes little difference.
Re: Comment - GFI/SORBS
http://blog.wordtothewise.com/2010/12/gfi-sorbs-considered-harmful-part-5/
Re: blacklist.mailrelay.att.net
On 12/14/10 11:31 AM, Giampaolo Tomassoni wrote: I would strongly encourage your ISP to clean up their act by adding an excursion detection system, that watches for bursty outbound traffic patterns, like a sudden spike in outbound SMTP or HTTP connections to a wide spread of addresses. Is Aruba.it so poorly reputed? g I can't speak for their reputation, but when an entire ISP's CIDR blocks get blacklisted (like we did with iWeb.ca) it's usually because they aren't very responsive in dealing with issues when they occur and not proactive about trying to prevent them. -Philip
Re: DNSBL for email addresses?
On 12/14/10 3:35 PM, Cedric Knight wrote: On 14/12/10 14:28, Marc Perkel wrote: Are there any DNSBLs out there based on email addresses? Since you can't use an @ in a DNS lookup Actually, you can use '@' in a lookup. You just can't use it in a hostname. Or you could convert the '@' to a '.' as is the format still used in SOA records. Not just SOA records, but the MB records were supposed to use this as well. They just never caught on. -Philip
Re: Comment - GFI/SORBS
On 12/14/2010 8:06 PM, Bart Schaefer wrote: http://blog.wordtothewise.com/2010/12/gfi-sorbs-considered-harmful-part-5/ I've seen the headaches of getting off SORBS, but how did you really end up there? While I agree that SORBS is not reliable enough for use at the MTA level, I've not seen one complaint from my customers over using SORBS in SA. Isn't the beauty of SA the fact that you can score gray areas and not be stuck with black or white? In case it's a mystery, SA scores are automatically generated based on results from the corpus. If those results weren't productive, the rules would either be disabled or their scores adjusted even lower. However, if the corpus isn't representative, the generated scores are in error, and that means we need more trusted submitters. Or maybe your traffic is relatively unique and you should already be generating your own scores? Ultimately, this seems to be more of a witch hunt against SORBS than a SA issue. Although I'm not opposed to a SORBS witch hunt, I don't think it belongs here. /$.02 -- /Jason
Re: Comment - GFI/SORBS
Ultimately, this seems to be more of a witch hunt against SORBS than a SA issue. Although I'm not opposed to a SORBS witch hunt, I don't think it belongs here. Indeed, and it's Lynford and his money grabbing cronies mostly behind it - hence it lacks sophistication.
Re: DNSBL for email addresses?
You can try right hand side black lists (RHSBL) for domain part. On Tue, Dec 14, 2010 at 4:28 PM, Marc Perkel supp...@junkemailfilter.com wrote: Are there any DNSBLs out there based on email addresses? Since you can't use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is there a standard? -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: DNSBL for email addresses?
On Tue, 14 Dec 2010, Marc Perkel wrote:
Are there any DNSBLs out there based on email addresses? Since you can't
use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is
there a standard?
Why do you say Since you can't use an @ in a DNS lookup??
Unless you're using obsolete software there's no reason you cannot.
EG:
% nslookup 'a...@khath.com.phish.icaen.uiowa.edu'
Server: dns2.icaen.uiowa.edu
Address: 128.255.17.20
Name:a...@khath.com.phish.icaen.uiowa.edu
Address: 127.0.0.2
% nslookup 'a...@khath.com.phish.icaen.uiowa.edu'
Server: dns2.icaen.uiowa.edu
Address: 128.255.17.20
*** dns2.icaen.uiowa.edu can't find a...@khath.com.phish.icaen.uiowa.edu:
Non-existent host/domain
and that's with bind-9.4, not a particularly new revision.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
SPF_PASS doesn't trigered
I have domain hosted at google apps, and my domain have recomended by google txt record v=spf1 include:_spf.google.com ~all. So far when I receive mail from this domain spamassassin doesn't trigger rule SPF_PASS nor SPF_SOFTFAIL, is this normal? I'm running 3.3.1 version
