app.userengage exploit and apple/itunes phish

[Alex]

Hi, this appears to be some phish using the app.userengage.com service
that is still not detected by clam or any URIBL

https://pastebin.com/raw/3gaVEJSK

It leads to some redirect that's marked as "deceptive" by chrome, but
app.userengage.com is a legitimate site, so not sure what's going on
with this abuse of their service.

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[John Hardin]

On Fri, 13 Apr 2018, Sebastian Arcus wrote:



On 13/04/18 11:36, Giovanni Bechis wrote:

On 04/13/18 09:06, Sebastian Arcus wrote:
Hello all. I am getting some fp's with emails from QuickBooks / Intuit 
with the above rule:


Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> 
got hit: "https://myturbotax.intuit.com;


On a slightly different note, and mainly for my curiosity to understand SA 
rules syntax, in 72_active.cf, the score seems to be commented out:


#score   URI_TRY_3LD   2.000   # limit

But when it hits, it still adds 2.0 to the score (and I haven't customized 
the score anywhere else). Is this a special form of SA syntax?


the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with 
tflags publish.


Is that a location on the SA server - or am I suppose to have those dirs 
locally here? I can't seem to find them anywhere locally.


That's in SVN (the SA source code).


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Individual liberties are always "loopholes" to absolute authority.
---
 Today: Thomas Jefferson's 275th Birthday

Re: Please add these blocks

[David Gibbs]

On 4/13/2018 8:40 AM, David Jones wrote:

P.S.  I would love to help with any RBL/URIBLs with honeypot/spamtrap
accounts if anyone would like to contact me off list.


I have a few domains that I will _never_ receive email on ... I would like to 
contribute too.

david
 



--
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding 615 miles (Yes, you read that right) in the American Diabetes 
Association's Tour de Cure to raise money for diabetes research, education, 
advocacy, and awareness.  You can make a tax deductible donation to my ride by 
visiting https://gmane.diabetessucks.net.

You can see where my donations come from by visiting my interactive donation 
map ... https://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[Sebastian Arcus]

On 13/04/18 16:39, John Hardin wrote:

On Fri, 13 Apr 2018, John Hardin wrote:


On Fri, 13 Apr 2018, John Hardin wrote:


On Fri, 13 Apr 2018, Giovanni Bechis wrote:


On 04/13/18 09:06, Sebastian Arcus wrote:


But when it hits, it still adds 2.0 to the score (and I haven't 
customized the score anywhere else). Is this a special form of SA 
syntax?


The score in the current update is 0.001 across the board. Are you 
up-to-date and are you *sure* you don't have any overrides anywhere?


   72_scores.cf:score URI_TRY_3LD    0.001 0.001 0.001 0.001


OK - after more digging it surfaced that the original report with 2.0 
score is from a different server than the one I am testing on. That 
server has 2.0 scores in 4.00/updates_spamassassin_org/72_active.cf


When trying to run sa-update on that server, I am getting errors, so it 
must be that SA stopped updating a while ago there. I will dig in and 
find out why. Thank you for flagging the fact that the default score on 
the current configs is not supposed to be 2.0!

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[Sebastian Arcus]

On 13/04/18 11:36, Giovanni Bechis wrote:

On 04/13/18 09:06, Sebastian Arcus wrote:

Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the 
above rule:

Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: 
"https://myturbotax.intuit.com;

On a slightly different note, and mainly for my curiosity to understand SA 
rules syntax, in 72_active.cf, the score seems to be commented out:

#score   URI_TRY_3LD   2.000   # limit

But when it hits, it still adds 2.0 to the score (and I haven't customized the 
score anywhere else). Is this a special form of SA syntax?


the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags 
publish.


Is that a location on the SA server - or am I suppose to have those dirs 
locally here? I can't seem to find them anywhere locally.

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[Bill Cole]

On 13 Apr 2018, at 6:36 (-0400), Giovanni Bechis wrote:


On 04/13/18 09:06, Sebastian Arcus wrote:
Hello all. I am getting some fp's with emails from QuickBooks / 
Intuit with the above rule:


Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD 
==> got hit: "https://myturbotax.intuit.com;


On a slightly different note, and mainly for my curiosity to 
understand SA rules syntax, in 72_active.cf, the score seems to be 
commented out:


#score   URI_TRY_3LD   2.000   # limit

But when it hits, it still adds 2.0 to the score (and I haven't 
customized the score anywhere else).


That's exceedingly unusual and difficult to explain...


Is this a special form of SA syntax?


No, it is an artifact of how sandbox rules are included in the published 
rules.


the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf 
with tflags publish.

 Giovanni


Yes, but it is published in 72_scores.cf with a trivial score:

score URI_TRY_3LD   0.001 0.001 0.001 0.001



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[John Hardin]

On Fri, 13 Apr 2018, John Hardin wrote:


On Fri, 13 Apr 2018, John Hardin wrote:


On Fri, 13 Apr 2018, Giovanni Bechis wrote:


On 04/13/18 09:06, Sebastian Arcus wrote:


But when it hits, it still adds 2.0 to the score (and I haven't 
customized the score anywhere else). Is this a special form of SA syntax?


The score in the current update is 0.001 across the board. Are you 
up-to-date and are you *sure* you don't have any overrides anywhere?


  72_scores.cf:score URI_TRY_3LD0.001 0.001 0.001 0.001

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  How do you argue with people to whom math is an opinion? -- Unknown
---
 Today: Thomas Jefferson's 275th Birthday

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[John Hardin]

On Fri, 13 Apr 2018, John Hardin wrote:


On Fri, 13 Apr 2018, Giovanni Bechis wrote:


On 04/13/18 09:06, Sebastian Arcus wrote:
Hello all. I am getting some fp's with emails from QuickBooks / Intuit 
with the above rule:


Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> 
got hit: "https://myturbotax.intuit.com;


On a slightly different note, and mainly for my curiosity to understand SA 
rules syntax, in 72_active.cf, the score seems to be commented out:


#score   URI_TRY_3LD   2.000   # limit

But when it hits, it still adds 2.0 to the score (and I haven't customized 
the score anywhere else). Is this a special form of SA syntax?


the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with 
tflags publish.

Giovanni


When a "score" line is present in a sandbox, that means the masscheck score 
assignment process will limit the score it calculates to that.


If it's commented out or not present, then the masscheck process can assign 
however high a score it likes based on the rule's performance against the 
masscheck corpora.


I'll take a look at that rule, I don't remember offhand what I intended it 
for.


It's fairly broad, intended to hit things like "tryviagra.mumble.com". 
It's hitting on the "my" prefix on the hostname. I'll add an exclusion.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  How do you argue with people to whom math is an opinion? -- Unknown
---
 Today: Thomas Jefferson's 275th Birthday

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[John Hardin]

On Fri, 13 Apr 2018, Giovanni Bechis wrote:


On 04/13/18 09:06, Sebastian Arcus wrote:

Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the 
above rule:

Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: 
"https://myturbotax.intuit.com;

On a slightly different note, and mainly for my curiosity to understand SA 
rules syntax, in 72_active.cf, the score seems to be commented out:

#score   URI_TRY_3LD   2.000   # limit

But when it hits, it still adds 2.0 to the score (and I haven't customized the 
score anywhere else). Is this a special form of SA syntax?


the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags 
publish.
Giovanni


When a "score" line is present in a sandbox, that means the masscheck 
score assignment process will limit the score it calculates to that.


If it's commented out or not present, then the masscheck process can 
assign however high a score it likes based on the rule's performance 
against the masscheck corpora.


I'll take a look at that rule, I don't remember offhand what I intended it 
for.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  How do you argue with people to whom math is an opinion? -- Unknown
---
 Today: Thomas Jefferson's 275th Birthday

Re: Please add these blocks

[Kevin A. McGrail]

Done for PCCC's wild list.

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Fri, Apr 13, 2018 at 9:40 AM, David Jones  wrote:

> Calling all RBL/URIBL operators on this list, please block these:
>
> https://pastebin.com/gGkK2gMq
>
> https://pastebin.com/L7gygRn7
>
> https://pastebin.com/ukaQ1pps
>
> https://pastebin.com/DBiUT6k3
>
> https://pastebin.com/Hcm6mLzx
>
> I receive a ton of these daily and they aren't listed on anyone's
> RBL/URIBL.
>
> P.S.  I would love to help with any RBL/URIBLs with honeypot/spamtrap
> accounts if anyone would like to contact me off list.
>
> --
> David Jones
>

Please add these blocks

[David Jones]

Calling all RBL/URIBL operators on this list, please block these:

https://pastebin.com/gGkK2gMq

https://pastebin.com/L7gygRn7

https://pastebin.com/ukaQ1pps

https://pastebin.com/DBiUT6k3

https://pastebin.com/Hcm6mLzx

I receive a ton of these daily and they aren't listed on anyone's RBL/URIBL.

P.S.  I would love to help with any RBL/URIBLs with honeypot/spamtrap 
accounts if anyone would like to contact me off list.


--
David Jones

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[Giovanni Bechis]

On 04/13/18 09:06, Sebastian Arcus wrote:
> Hello all. I am getting some fp's with emails from QuickBooks / Intuit with 
> the above rule:
> 
> Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got 
> hit: "https://myturbotax.intuit.com;
> 
> On a slightly different note, and mainly for my curiosity to understand SA 
> rules syntax, in 72_active.cf, the score seems to be commented out:
> 
> #score   URI_TRY_3LD   2.000   # limit
> 
> But when it hits, it still adds 2.0 to the score (and I haven't customized 
> the score anywhere else). Is this a special form of SA syntax?
> 
the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags 
publish.
 Giovanni

URI_TRY_3LD fp's with QuickBooks Intuit emails

[Sebastian Arcus]

Hello all. I am getting some fp's with emails from QuickBooks / Intuit 
with the above rule:


Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> 
got hit: "https://myturbotax.intuit.com;


On a slightly different note, and mainly for my curiosity to understand 
SA rules syntax, in 72_active.cf, the score seems to be commented out:


#score   URI_TRY_3LD   2.000   # limit

But when it hits, it still adds 2.0 to the score (and I haven't 
customized the score anywhere else). Is this a special form of SA syntax?


Thank you for any answers