Re: Spammers, IPv6 addresses, and dnsbls

2018-03-07 Thread Benny Pedersen 

Philip skrev den 2018-03-07 21:12:


Providers like Linode assign a single IPv6 address from a /64. I had
to request my own block of /64 to use on my server as my IP neighbors


you can masq your ipv6 if you have 2 /64 in your ifconfig info

dont blame linode for sleeping with slaac :=)

new vps does not have 2 /64 in ifconfig

Re: Spammers, IPv6 addresses, and dnsbls

2018-03-07 Thread Philip 

Hi there,

Providers like Linode assign a single IPv6 address from a /64. I had to 
request my own block of /64 to use on my server as my IP neighbors were 
always getting the /64 blocked... since I've had my own I've been all 
good.  Before this my IPv6 IP was getting blocked daily because of 
someone else on that /64.  It was quite annoying for myself.


Phil

ps your server blocks .nz domains :P

On 03/03/2018 00:54, Daniele Duca wrote:

Hello list,

apologies if this is not directly SA related. "Lately" I've started to 
notice that some (not saying names) VPS providers, when offering v6 
connectivity, sometimes tends to not follow the best practice of 
giving a /64 to their customer, routing to them much smaller v6 
subnets, while still giving to them the usual /30 or /29 v4 subnets.


What It's happening is that whenever a spammer buys a VPS with those 
providers and get blacklisted, most of the time the dnsbls list the 
whole v6 /64, while still listing only the single ipv4 address. This 
makes some senses, as it would be enormously resource intensive to 
track each of the 18,446,744,073,709,551,616 addresses in the /64, but 
unfortunately not respecting basic v6 subnetting rules causes 
reputation problems also for the other customers that have the bad 
luck of living in the same /64 and are using their VPS as an outgoing 
mail server.


While I'm not judging the reasons why VPS providers are doing this 
type of useless v6 subnetting (micronetting?), I've started to deploy 
some countermeasures to avoid FPs. Specifically I wrote a rule that 
identifies if the last untrusted relay is a v6 address, and then is 
subsequently used in other meta rules that subtract some points in 
dnsbl tests that check the -lastexternal ip address on v6-aware lists.


I know that probably is not the best solution, but I've started to see 
real FPs that worried me. I've even pondered if it could have sense to 
go back to v4 only connectivity for my inbound mtas.


If you are in a similar situation I would like very much to discuss 
what would be the best approach to balance spam detection while 
avoiding fps


Regards

Daniele Duca

Re: Extremely persistent sex/make money spam with very little text in the body

2018-03-07 Thread Daniele Duca 

On 07/03/2018 17:32, Jakob Curdes wrote:




Since I get the majority of these emails in italian, I've written a 
meta rule that takes in account:
Hello Duca, would you share this rule with us? I would be interested 
in looking at the resulst, as we also have lots of these messages here.

JC

Hi,

I believe my rule wouldn't be as useful for you because a part of it is 
related to mispelled italian words (i believe they sloppily translated 
from english)


However, I'll drop an email to you offlist with the other relevant parts 
to avoid eventual spammers lurking here ;)


Daniele

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-03-07 Thread shanew 

Just FYI, it does add 3.0 points as soon as it sees any chaining at
all.  The other 5.0 points get added at 10 redirections.  That said,
I think you're guess is right that redirections start to look really
suspicious after just 3 or 4.


On Sat, 3 Mar 2018, @lbutlr wrote:


On Feb 26, 2018, at 09:55, sha...@shanew.net wrote:


This is why the DecodeShortURLs plugin has an explicit limit of 10
lookups (and penalizes such with a total of 8 points).


I’d guess more than one redirect is highly suspicious and more than two is 
probably a waste of time, just score 5.0 and be done with it.

Has anyone done any analysis on multi-redirects?




--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT CompSci
=--+---
All syllogisms contain three lines |  sha...@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: Extremely persistent sex/make money spam with very little text in the body

2018-03-07 Thread Jakob Curdes 





Since I get the majority of these emails in italian, I've written a meta rule 
that takes in account:
Hello Duca, would you share this rule with us? I would be interested in looking at the resulst, as 
we also have lots of these messages here.

JC

Re: Extremely persistent sex/make money spam with very little text in the body

2018-03-07 Thread Sebastian Arcus 


On 07/03/18 11:25, Leandro wrote:
2018-03-07 5:52 GMT-03:00 Sebastian Arcus >:



6. The links they include in the body of the email are almost never
flagged up either by Clam or Spamassassin - and they point to a
different domain in every single message.


Although they use multiple domains in the URLs at body, many of these 
URLs are addressed to the same IPv4/IPv6 address or IP ranges, that is 
just one shared web server or a group of shared web servers of the spammer.


The key to solving this problem is that you all start to cross the data 
and start scoring the URL host IP, that is the exact fiscal place they 
want to you visit even fired by many hacked mail servers at world and 
many distinct domains. The mail services and domains are very disperse 
but the web servers are very concentrated.


As far as I can tell, the URL's in the spam I see point to php scripts 
on various compromised servers - which, maybe, further redirect to the 
final payment servers. But thank you for the suggestion - I will keep an 
eye on it.

Re: Extremely persistent sex/make money spam with very little text in the body

2018-03-07 Thread Sebastian Arcus 

On 07/03/18 09:08, Daniele Duca wrote:

On 07/03/2018 09:52, Sebastian Arcus wrote:

I have this one email account receiving, for more than a year, a very 
specific type of spam which I find very difficult to block:


1. The messages are all kept very short, generally below 20 words - I 
assume so that Bayes is less efficient at classifying them?


2. Although they are all invitations to sex, or making money - they 
are phrased differently every time and use different words - so Bayes 
scores are consistently low.



Hi Sebastian,

I perfectly know what type of email you are talking about, I've seen 
them written at least in italian, english and spanish. If you click the 
link you are being redirected to shady dating websites or 
bitcoin/investment scams sites (at least in my experience).


Since I get the majority of these emails in italian, I've written a meta 
rule that takes in account:


- Common mispelled words/phrases
- Body lines must be < 5
- The common pattern in all the urls. Take a close look at them, there 
IS a pattern, not writing it here for obvious reasons :)


Thank you so much for that! The emails I see don't usually have spelling 
mistakes, but you are right, it seems that the url is the way to go. 
I've been looking for patters in the headers and source servers all 
along - it never crossed my mind to check the body! Thanks again

Re: Extremely persistent sex/make money spam with very little text in the body

2018-03-07 Thread Leandro 
2018-03-07 5:52 GMT-03:00 Sebastian Arcus :

>
> 6. The links they include in the body of the email are almost never
> flagged up either by Clam or Spamassassin - and they point to a different
> domain in every single message.
>

Although they use multiple domains in the URLs at body, many of these URLs
are addressed to the same IPv4/IPv6 address or IP ranges, that is just one
shared web server or a group of shared web servers of the spammer.

The key to solving this problem is that you all start to cross the data and
start scoring the URL host IP, that is the exact fiscal place they want to
you visit even fired by many hacked mail servers at world and many distinct
domains. The mail services and domains are very disperse but the web
servers are very concentrated.

We are doing this technique here and the problem has been mitigated to our
customers.


>
> The bizarre thing is that I only see them coming to this one particular
> email account, at a single domain of all the ones I administer. Based on
> the above whoever sends them really know what they are doing, and must have
> significant resources at their disposal - but I still have no idea why they
> only hit this particular email address. I can only assume that greylisting
> wouldn't help much, as they seem to arrive from properly configured smpt
> servers, which would retry like any other regular smtp server and bypass
> greylisting. Has anybody else seen these, and is there anything else that I
> could try to block them?
>

Re: Extremely persistent sex/make money spam with very little text in the body

2018-03-07 Thread Daniele Duca 

On 07/03/2018 09:52, Sebastian Arcus wrote:

I have this one email account receiving, for more than a year, a very 
specific type of spam which I find very difficult to block:


1. The messages are all kept very short, generally below 20 words - I 
assume so that Bayes is less efficient at classifying them?


2. Although they are all invitations to sex, or making money - they 
are phrased differently every time and use different words - so Bayes 
scores are consistently low.



Hi Sebastian,

I perfectly know what type of email you are talking about, I've seen 
them written at least in italian, english and spanish. If you click the 
link you are being redirected to shady dating websites or 
bitcoin/investment scams sites (at least in my experience).


Since I get the majority of these emails in italian, I've written a meta 
rule that takes in account:


- Common mispelled words/phrases
- Body lines must be < 5
- The common pattern in all the urls. Take a close look at them, there 
IS a pattern, not writing it here for obvious reasons :)


If all these conditions are matched the email is flagged. So far (about 
6 months), no complaints. If you have only one address that receives 
these emails I'd add a test to see if the recipient is that specific one 
for more precision


Hope it helps
Daniele

Extremely persistent sex/make money spam with very little text in the body

2018-03-07 Thread Sebastian Arcus 
I have this one email account receiving, for more than a year, a very 
specific type of spam which I find very difficult to block:


1. The messages are all kept very short, generally below 20 words - I 
assume so that Bayes is less efficient at classifying them?


2. Although they are all invitations to sex, or making money - they are 
phrased differently every time and use different words - so Bayes scores 
are consistently low.


3. They come from servers all around the world - possibly compromised, 
or maybe quickly setup and taken down - so they are usually not flagged 
by blacklists


4. Pyzor tends to flag most of them up though.

5. In most cases, DKIM is correct, SPF is fine, and the headers are all 
correct - so they don't hit any other rules.


6. The links they include in the body of the email are almost never 
flagged up either by Clam or Spamassassin - and they point to a 
different domain in every single message.


The bizarre thing is that I only see them coming to this one particular 
email account, at a single domain of all the ones I administer. Based on 
the above whoever sends them really know what they are doing, and must 
have significant resources at their disposal - but I still have no idea 
why they only hit this particular email address. I can only assume that 
greylisting wouldn't help much, as they seem to arrive from properly 
configured smpt servers, which would retry like any other regular smtp 
server and bypass greylisting. Has anybody else seen these, and is there 
anything else that I could try to block them?