app.userengage exploit and apple/itunes phish
Hi, this appears to be some phish using the app.userengage.com service that is still not detected by clam or any URIBL https://pastebin.com/raw/3gaVEJSK It leads to some redirect that's marked as "deceptive" by chrome, but app.userengage.com is a legitimate site, so not sure what's going on with this abuse of their service.
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On Fri, 13 Apr 2018, Sebastian Arcus wrote: On 13/04/18 11:36, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Is that a location on the SA server - or am I suppose to have those dirs locally here? I can't seem to find them anywhere locally. That's in SVN (the SA source code). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Individual liberties are always "loopholes" to absolute authority. --- Today: Thomas Jefferson's 275th Birthday
Re: Please add these blocks
On 4/13/2018 8:40 AM, David Jones wrote: P.S. I would love to help with any RBL/URIBLs with honeypot/spamtrap accounts if anyone would like to contact me off list. I have a few domains that I will _never_ receive email on ... I would like to contribute too. david -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding 615 miles (Yes, you read that right) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax deductible donation to my ride by visiting https://gmane.diabetessucks.net. You can see where my donations come from by visiting my interactive donation map ... https://gmane.diabetessucks.net/map (it's a geeky thing). I may have diabetes, but diabetes doesn't have me!
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On 13/04/18 16:39, John Hardin wrote: On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? The score in the current update is 0.001 across the board. Are you up-to-date and are you *sure* you don't have any overrides anywhere? 72_scores.cf:score URI_TRY_3LD 0.001 0.001 0.001 0.001 OK - after more digging it surfaced that the original report with 2.0 score is from a different server than the one I am testing on. That server has 2.0 scores in 4.00/updates_spamassassin_org/72_active.cf When trying to run sa-update on that server, I am getting errors, so it must be that SA stopped updating a while ago there. I will dig in and find out why. Thank you for flagging the fact that the default score on the current configs is not supposed to be 2.0!
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On 13/04/18 11:36, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Is that a location on the SA server - or am I suppose to have those dirs locally here? I can't seem to find them anywhere locally.
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On 13 Apr 2018, at 6:36 (-0400), Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). That's exceedingly unusual and difficult to explain... Is this a special form of SA syntax? No, it is an artifact of how sandbox rules are included in the published rules. the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Giovanni Yes, but it is published in 72_scores.cf with a trivial score: score URI_TRY_3LD 0.001 0.001 0.001 0.001 -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? The score in the current update is 0.001 across the board. Are you up-to-date and are you *sure* you don't have any overrides anywhere? 72_scores.cf:score URI_TRY_3LD0.001 0.001 0.001 0.001 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How do you argue with people to whom math is an opinion? -- Unknown --- Today: Thomas Jefferson's 275th Birthday
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Giovanni When a "score" line is present in a sandbox, that means the masscheck score assignment process will limit the score it calculates to that. If it's commented out or not present, then the masscheck process can assign however high a score it likes based on the rule's performance against the masscheck corpora. I'll take a look at that rule, I don't remember offhand what I intended it for. It's fairly broad, intended to hit things like "tryviagra.mumble.com". It's hitting on the "my" prefix on the hostname. I'll add an exclusion. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How do you argue with people to whom math is an opinion? -- Unknown --- Today: Thomas Jefferson's 275th Birthday
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Giovanni When a "score" line is present in a sandbox, that means the masscheck score assignment process will limit the score it calculates to that. If it's commented out or not present, then the masscheck process can assign however high a score it likes based on the rule's performance against the masscheck corpora. I'll take a look at that rule, I don't remember offhand what I intended it for. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How do you argue with people to whom math is an opinion? -- Unknown --- Today: Thomas Jefferson's 275th Birthday
Re: Please add these blocks
Done for PCCC's wild list. -- Kevin A. McGrail Asst. Treasurer & VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Fri, Apr 13, 2018 at 9:40 AM, David Joneswrote: > Calling all RBL/URIBL operators on this list, please block these: > > https://pastebin.com/gGkK2gMq > > https://pastebin.com/L7gygRn7 > > https://pastebin.com/ukaQ1pps > > https://pastebin.com/DBiUT6k3 > > https://pastebin.com/Hcm6mLzx > > I receive a ton of these daily and they aren't listed on anyone's > RBL/URIBL. > > P.S. I would love to help with any RBL/URIBLs with honeypot/spamtrap > accounts if anyone would like to contact me off list. > > -- > David Jones >
Please add these blocks
Calling all RBL/URIBL operators on this list, please block these: https://pastebin.com/gGkK2gMq https://pastebin.com/L7gygRn7 https://pastebin.com/ukaQ1pps https://pastebin.com/DBiUT6k3 https://pastebin.com/Hcm6mLzx I receive a ton of these daily and they aren't listed on anyone's RBL/URIBL. P.S. I would love to help with any RBL/URIBLs with honeypot/spamtrap accounts if anyone would like to contact me off list. -- David Jones
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On 04/13/18 09:06, Sebastian Arcus wrote: > Hello all. I am getting some fp's with emails from QuickBooks / Intuit with > the above rule: > > Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got > hit: "https://myturbotax.intuit.com; > > On a slightly different note, and mainly for my curiosity to understand SA > rules syntax, in 72_active.cf, the score seems to be commented out: > > #score URI_TRY_3LD 2.000 # limit > > But when it hits, it still adds 2.0 to the score (and I haven't customized > the score anywhere else). Is this a special form of SA syntax? > the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Giovanni
URI_TRY_3LD fp's with QuickBooks Intuit emails
Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? Thank you for any answers