Re: Legit Yahoo mail servers list
>From: Matus UHLAR - fantomas >> Seems to me like >>Yahoo doesn't have a good list of IPs so they took this shortcut >>which is technically legitimate but it's making up for their incompetence >>not having a handle on their mail flow. >That doesn't mean incompetence. using PTR is official way, and while not so >often used, it's perfectly valid. >The whole fact you want their IP ranges does not mean they are not competent >when they don't publish them in SPF. >the fact that you can't whitelist their IPs based on their SPF record does >not mean there's anything wrong with the SPF record itself... Read back through this thread. I never said their SPF record is invalid. All I said is their SPF record is not common and it makes it very hard for anyone to know what the official Yahoo outbound mail servers are. We have to work very hard to get our MTAs to whitelist them. It's in their own best interest to make this information easily available to the Internet since so much spam comes out of their platform. They are too large to not whitelist. An SPF record is a useful way to build such a whitelist when it can be parsed into IPs and CIDRs. That is all.
Re: Legit Yahoo mail servers list
From: Matus UHLAR - fantomas Still no practical difference between using IP ranges or rdns in SPF. On 28.01.17 14:27, David Jones wrote: Most SPF records published are not like this. so... what? Seems to me like Yahoo doesn't have a good list of IPs so they took this shortcut which is technically legitimate but it's making up for their incompetence not having a handle on their mail flow. That doesn't mean incompetence. using PTR is official way, and while not so often used, it's perfectly valid. The whole fact you want their IP ranges does not mean they are not competent when they don't publish them in SPF. the fact that you can't whitelist their IPs based on their SPF record does not mean there's anything wrong with the SPF record itself... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
Re: Legit Yahoo mail servers list
>From: Matus UHLAR - fantomas >Still no practical difference between using IP ranges or rdns in SPF. Most SPF records published are not like this. Seems to me like Yahoo doesn't have a good list of IPs so they took this shortcut which is technically legitimate but it's making up for their incompetence not having a handle on their mail flow. They could have specific mail ranges that all of their outbound mail comes from all over the world and keep that pretty static so the rest of us could properly whitelist their email. >Well - if postscreen was able to use rdns, this discussion would be useless, >since you'd whitelist .yahoo.com in postscreen, wouldn't you? Ok. Postscreen doesn't use RDNS. I stand corrected. I will try to solve this problem in my Postfix settings since it does use RDNS. If not, I guess I will give up and continue to have the occassional issue woth inbound mail from Yahoo. I doesn't happen often, I was just trying to handle Yahoo mail in MailScanner/ SpamAssassin compeltely by letting through the MTA.
Re: Legit Yahoo mail servers list
Am 27.01.2017 um 17:57 schrieb David Jones: >if you have trouble to get large providers past postscreen your rbl mix >or scoring is just plain wrong >configure postscreen proper and adjust RBL scores in spamassassin to get >the rest killed, we are using the same DNSBL/DNSWL in postscreen and >spamassassin starting 2014 and until now there hwere very few to zero >complaints I have pretty much the exact same postscreen as below. It all depends on senders to your recipients. I may have a rural telecom company in Wisconsin, USA that needs to send emai; to one of my recipients that is listed on a couple of RBLs below that your mail server doesn't need to receive. I just ran into this yesterday. >postscreen_dnsbl_threshold = 8 >postscreen_dnsbl_action = enforce >postscreen_greet_action = enforsce >postscreen_greet_wait = ${stress?3}${stress:10}s >postscreen_dnsbl_sites = > dnsbl.sorbs.net=127.0.0.10*9 > dnsbl.sorbs.net=127.0.0.14*9 > zen.spamhaus.org=127.0.0.[10;11]*8 > dnsbl.sorbs.net=127.0.0.5*7 > zen.spamhaus.org=127.0.0.[4..7]*7 > b.barracudacentral.org=127.0.0.2*7 > zen.spamhaus.org=127.0.0.3*7 > dnsbl.inps.de=127.0.0.2*7 > hostkarma.junkemailfilter.com=127.0.0.2*4 > dnsbl.sorbs.net=127.0.0.7*4 > bl.spamcop.net=127.0.0.2*4 > bl.spameatingmonkey.net=127.0.0.[2;3]*4 > dnsrbl.swinog.ch=127.0.0.3*4 > ix.dnsbl.manitu.net=127.0.0.2*4 > psbl.surriel.com=127.0.0.2*4 > bl.mailspike.net=127.0.0.[10;11;12]*4 > bl.mailspike.net=127.0.0.2*4 > zen.spamhaus.org=127.0.0.2*3 > score.senderscore.com=127.0.4.[0..20]*3 > bl.spamcannibal.org=127.0.0.2*3 > dnsbl.sorbs.net=127.0.0.6*3 > dnsbl.sorbs.net=127.0.0.8*2 > hostkarma.junkemailfilter.com=127.0.0.4*2 > dnsbl.sorbs.net=127.0.0.9*2 > dnsbl-1.uceprotect.net=127.0.0.2*2 > all.spamrats.com=127.0.0.38*2 > bl.nszones.com=127.0.0.[2;3]*1 > dnsbl-2.uceprotect.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.4*1 > score.senderscore.com=127.0.4.[0..69]*1 > dnsbl.sorbs.net=127.0.0.3*1 > hostkarma.junkemailfilter.com=127.0.1.2*1 > dnsbl.sorbs.net=127.0.0.15*1 > ips.backscatterer.org=127.0.0.2*1 > bl.nszones.com=127.0.0.5*-1 > score.senderscore.com=127.0.4.[90..100]*-1 > wl.mailspike.net=127.0.0.[18;19;20]*-2 > hostkarma.junkemailfilter.com=127.0.0.1*-2 > ips.whitelisted.org=127.0.0.2*-2 > list.dnswl.org=127.0.[0..255].0*-2 > dnswl.inps.de=127.0.[0;1].[2..10]*-2 > list.dnswl.org=127.0.[0..255].1*-3 > list.dnswl.org=127.0.[0..255].2*-4 > list.dnswl.org=127.0.[0..255].3*-5
spample: banking credential phish using linked image (with no text)
SpamAssassin caught this phish, however some tweaks would have let it thru, and it's an interesting new (to me) approach, so I figured I'd share it with y'all. Full raw spample (with MUNGED email addresses): http://puffin.net/software/spam/samples/0053_phish_image.txt At arrival time, the domain "alshimisiani" was only on URIBL Black (the webhost's SA does not run URIBL, so that was caught by my post-SA filter). The HTML link had all manner of weirdness (in particular, that Google "data-saferedirecturl" thingie), so I did a raw HTTP GET of the image, semi-thinking it was going to be borked or lame. Instead, I saw this very nicely done, VERY convincing image: http://puffin.net/software/spam/samples/0053_phish_image.png I've never noticed that style before. I've seen similar with attached image(s), however I rarely pull down remote images. For a while, I've been concerned that spammers would move to more remote images in phish, and have been thinking about adding arrival-time pull-down & analysis of them. ** Has anyone noticed this tactic, and, if so, has it been going on for a while? Also of interest is the main URL. It looks like the site is legit and was cracked/hijacked. The page used javascript and a meta refresh to redirect to a different apparently-cracked site, with an interesting 3 hops within that site, before the final pure javascript payload. I don't have the time to analyze the js, however it is somewhat unusual/different from what I've seen in the past. If it's down by the time anyone legit checks it, feel free to email me off-list for a copy (LEGIT geeks only and note that I'll be mostly offline for the next 4-7 days). I _VERY_ briefly researched the token "data-saferedirecturl", and my first impression is that maybe it shouldn't occur in email, so it may be a good test. ** What do the HTML gurus think? Perhaps it would be worthwhile to MassCheck a meta of "BODY_URI_ONLY" with highly phish-y From.RealNames? I just checked the last 3 months of my best corpora, and ham hits on "BODY_URI_ONLY" were in three categories (highest to lowest volume): - DMARC reports - ESP/bulk (with SA scores between -4.0 and 5.3) - person-to-person with an image attachment I'm already selectively "skip" listing all three scenarios, in particular DMARC reports (i.e. I never "white" list, I have my rules segmented into groups that can be easily skipped). - "Chip"