Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Here's mine, had it running as a regular cron job for a few days now. On Wed, 26 Aug 2020 at 04:08, Rob McEwen wrote: > On 8/25/2020 11:04 PM, John Hardin wrote: > > I just wrote something similar to generate a rule, in case for some > > reason you don't want to use a plugin. Let me know if there's any > > interest in it. > > yes - please share! > spbl.sh Description: Binary data
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/25/2020 11:04 PM, John Hardin wrote: I just wrote something similar to generate a rule, in case for some reason you don't want to use a plugin. Let me know if there's any interest in it. yes - please share! -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Thanks, John Capo, for the suggestions! Honestly, I'm at the end of my rope - completely burned out from creating this - desperately needing to catch up in other areas of my business so that I can pay my bills. And I have other ideas for how to make this data even better that I'm trying to get to asap. So help like this is very appreciated! BTW - does Postfix "know" to refresh the data when the files are updated? Or is there some kind of command that needs to run to tell Postfix to reload the files? How does that work? ALSO - would it help if I created a separate set of files for Postfix that are pre-formatted this way already? Thanks! Rob McEwen, invaluement.com On 8/25/2020 2:26 PM, John Capo wrote: On 2020-08-25 11:42, Matus UHLAR - fantomas wrote: well, do we have anything available now to block at SMTP level? - postfix policy server? - milter? so far I have noticed only SA plugins. Which is not bad, but that HUGE advantage is not usable now. Nothing elegant about this but it was easy to implement. You need to create the software specific to your MX servers to update the files below from Rob's web site. Adjust the paths below to your Postfix install Add these entries to your main.cf: smtpd_restriction_classes = sendgrid # Limit senders that are matched with the regexes in sendgrid-ids # sendgrid = check_sender_access pcre:/usr/local/etc/postfix/maps/sendgrid-ids smtpd_recipient_restrictions = check_sender_access hash:/usr/local/etc/postfix/maps/from-sendgrid Create a file like this from the senders in https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt sendgrid.net sendgrid appliedaicourse.com sendgrid bithumbcorp.email sendgrid bitline.life sendgrid bureausveritas.com sendgrid caractere.ro sendgrid craftsgenerals.com sendgrid dalvry.com sendgrid ... Name it from-sendgrid and place it in your Postfix directory postmap from-sendgrid Create a file like this from the ids in https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt /^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account ... Name it sendgrid-ids and place it in your Postfix directory postfix reload John Capo Tuffmail.com -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On Tue, 25 Aug 2020, John Capo wrote: Create a file like this from the ids in https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt /^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account ... I just wrote something similar to generate a rule, in case for some reason you don't want to use a plugin. Let me know if there's any interest in it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Today: the 1941st anniversary of the destruction of Pompeii
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 2020-08-25 11:42, Matus UHLAR - fantomas wrote: well, do we have anything available now to block at SMTP level? - postfix policy server? - milter? so far I have noticed only SA plugins. Which is not bad, but that HUGE advantage is not usable now. Nothing elegant about this but it was easy to implement. You need to create the software specific to your MX servers to update the files below from Rob's web site. Adjust the paths below to your Postfix install Add these entries to your main.cf: smtpd_restriction_classes = sendgrid # Limit senders that are matched with the regexes in sendgrid-ids # sendgrid = check_sender_access pcre:/usr/local/etc/postfix/maps/sendgrid-ids smtpd_recipient_restrictions = check_sender_access hash:/usr/local/etc/postfix/maps/from-sendgrid Create a file like this from the senders in https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt sendgrid.netsendgrid appliedaicourse.com sendgrid bithumbcorp.email sendgrid bitline.lifesendgrid bureausveritas.com sendgrid caractere.rosendgrid craftsgenerals.com sendgrid dalvry.com sendgrid ... Name it from-sendgrid and place it in your Postfix directory postmap from-sendgrid Create a file like this from the ids in https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt /^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account /^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid account ... Name it sendgrid-ids and place it in your Postfix directory postfix reload John Capo Tuffmail.com
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On Tue, Aug 25, 2020 at 08:29:55PM +0200, Benny Pedersen wrote: > Rob McEwen skrev den 2020-08-25 19:20: > > > PRO TIP: Instead of complaining about this problem on this thread - > > why not go to the discussion list or forum of your preferred MTA - and > > ask them to implement it? > > maybe make clamav sigs ? > > is mimedefang working still ?, special plugins needed ?, i just use > fuglu Mimedefang is still alive on a new home: https://github.com/The-McGrail-Foundation/MIMEDefang I think it should not be complicated to implement it. Giovanni
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/25/2020 2:29 PM, Benny Pedersen wrote: maybe make clamav sigs ? Benny, Thanks for your other suggestions - those are worth exploring. Also - the Clamav Sigs is not a bad idea - but even besides the fact that (like SA rules), Clamav is content filtering and not at the SMTP-Envelope level - Clamav doesn't tend to have nearly AS fast of a turnaround time as do DNSBLs. In a previous message, someone was disappointed that we missed one, and it turns out our 24-second turnaround time on that message (from the start of the SMTP connection - to being fully deployed in the data) was a contributing factor. We now have a plan to shorten that 24-seconds to about 4 seconds AND (for invaluement subscribers) - we have a "push" technology that is available now where those invaluement subscribers who opt for this feature (no extra charge!) - can get a split second notification to run their RSYNC just 1 second after the file updates - and we do that already for our direct query servers. So there is an option (once implemented!) to potentially get the these FULLY DISTRIBUTED within about 8 seconds from the start of the SMTP connection of the first such spam received - to being FULLY deployed on DNS servers (both our own direct query servers - and our RSYNC subscribers' internal rbldnsd servers) - that will be AMAZING. I expect to be there within a week from now. Something like clamav just can't even begin to compete with that fast of a turnaround. But ClamAv rules may still be a good way to get this implemented for many. Someone else mentioned one that was completely off of our radar - but we're about to double the coverage of these in terms of mailboxes and traps used for this purpose - so that will help further minimize our "blind spots". -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Rob McEwen skrev den 2020-08-25 19:20: PRO TIP: Instead of complaining about this problem on this thread - why not go to the discussion list or forum of your preferred MTA - and ask them to implement it? maybe make clamav sigs ? is mimedefang working still ?, special plugins needed ?, i just use fuglu
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Matus UHLAR - fantomas skrev den 2020-08-25 17:42: well, do we have anything available now to block at SMTP level? - postfix policy server? - milter? so far I have noticed only SA plugins. Which is not bad, but that HUGE advantage is not usable now. fuglu i reject highscore spams, just setup fuglu in prequeue with postfix
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/25/2020 1:20 PM, Rob McEwen wrote: but I can do everything, at least not all at once *can't do -- Rob McEwen https://www.invaluement.com
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/25/2020 11:42 AM, Matus UHLAR - fantomas wrote: well, do we have anything available now to block at SMTP level? - postfix policy server? - milter? so far I have noticed only SA plugins. Which is not bad, but that HUGE advantage is not usable now. And likewise - 48 hours ago - a SpamAssassin plugin didn't exist either! These things take at least a little bit of time. We're only at the 3rd business day that this tech has been in existence. But I think you and I would both be surprised at how many systems are likely already (quietly) using this at the SMTP-connection level, for certain more custom-programmed systems. I believe adaptation in other public MTAs is inevitable. For example, I have some good contacts at Exim and it's on my "to do" list to ask them about this, but I can do everything, at least not all at once. And those MTAs that don't enable usage of this will be left behind. PRO TIP: Instead of complaining about this problem on this thread - why not go to the discussion list or forum of your preferred MTA - and ask them to implement it? -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
--On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd wrote: Like most ISPs, they have a feedback loop to remove malicious users. I assume it is too slow, so a SendGrid account ID RBL would provide meaningful value. On 8/22/2020 3:35 PM, Kenneth Porter wrote: Would not Pyzor accomplish the same thing? Submit the SendGrid spam to Pyzor to quickly get it blacklisted. On 22.08.20 17:23, Rob McEwen wrote: sendgrid list can do the filtering at the SMTP-envelope level - BEFORE the message is even downloaded - for some systems with millions of users - that is a HUGE advantage. (2) being filterable at the SMTP-Envelope level opens up possibilities for things like MTA plugins or feature additions - that enable this filtering at the MTA level - for MTAs that do NOT try to do any content filtering of the message. That creates more options for deployment where many will hopefully be able to make use of this, who don't have Pyzor (for whatever reasons) well, do we have anything available now to block at SMTP level? - postfix policy server? - milter? so far I have noticed only SA plugins. Which is not bad, but that HUGE advantage is not usable now. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Hi Rob This works like a charm, blocking a lot of: bounces+8465718 atm. Thank you for your excellent plugin! Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __
Re: Amazon, dhl, fedex, etc. phishing
On Mon, 24 Aug 2020 19:22:27 -0700 (PDT) John Hardin wrote: > That could be captured by the above whitelist_auth, plus a "from > name" rule: > >header FM_NAME_AMAZON From:name =~ /^amazon(?:.com\b|$)/i >score FM_NAME_AMAZON 10 > > That's a poison pill by itself, but the whitelist_auth entry would > override it for genuine Amazon emails. I do it something like this: meta WHITELIST_SPOOFED __SHOULD_BE_WHITELISTED && !ANY_WHITELIST This allowed the default whitelists to cancel the rule without giving them a huge negative score.
Re: A new high score!
This sounds like a really fun game! SpamAssassin's Creed! On Tue, Aug 25, 2020 at 8:32 AM Philipp Ewald wrote: > We have a own rule that mark special mails with spam score 1000 > but with default values record is round about 22 > > Am 24.08.20 um 23:27 schrieb micah anderson: > > > > What is the highest score you've seen a spam get? I think I just broke > > my own high score, with a spam that managed to pile up 64 points. > > > > I'm sure you all have seen much higher! > > > > -- > Philipp Ewald > Administrator > > DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln > Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: > philipp.ew...@digionline.de > > AG Köln HRB 27711, St.-Nr. 5215 5811 0640 > Geschäftsführer: Werner Grafenhain > > Informationen zum Datenschutz: www.digionline.de/ds >
Re: A new high score!
We have a own rule that mark special mails with spam score 1000 but with default values record is round about 22 Am 24.08.20 um 23:27 schrieb micah anderson: What is the highest score you've seen a spam get? I think I just broke my own high score, with a spam that managed to pile up 64 points. I'm sure you all have seen much higher! -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: A new high score!
Axb skrev den 2020-08-25 09:50: On 8/24/20 11:27 PM, micah anderson wrote: I'm sure you all have seen much higher! the score can depend on how creative you are. score USER_IN_BLACKLIST 666.0 blacklist_from *@* whitelist_auth *@* something to John :=)
Re: A new high score!
On 8/24/20 11:27 PM, micah anderson wrote: What is the highest score you've seen a spam get? I think I just broke my own high score, with a spam that managed to pile up 64 points. I'm sure you all have seen much higher! the score can depend on how creative you are. score USER_IN_BLACKLIST 666.0
Re: Amazon, dhl, fedex, etc. phishing
> We are regularly getting phishes from dhl, fedex, usps, amazon, netflix, > spotify that fakes the from (eg. amazon wants > to send me a amadon-legit.pdf). Usually these are previously unknown to > pyzor, dcc, rbls, and domain reputation doesn't really exist[0]. > > I'm wondering if anyone has made a rule that looks to see if the From > contains amazon, but it is not amazon.com/.ca/.jp (all their TLDs), then > score them up, if it wants to also drop a psd, or a tar.xz, or a png, or > a pdf or whatever, then light them on fire. I have rules similar to that to catch other things. I just made one for you to catch a spam that claims to be from USPS but is not. Simple modifications will catch other putative senders. #--- # 08/24/2020 # Someone on the SA mailing list is upset about spams that claim to be from some # reputable company, usually a package transfer company, but actually aren't. # I have an example in today's spam, though it is caught by lots of other rules: # # From: USPS header NOT_FROM_USPS From =~ /\bUSPS\b[^<]*<[\w\-.]+\@[\w\-.]*\b(?!usps\.com)\s{0,3}>/ score NOT_FROM_USPS 1 describeNOT_FROM_USPS Claims to be from USPS, but isn't I'm also including two general rules that catch this sort of stuff most of the time. #--- # 01/21/08 # Return-Path: # Message-Id: <20080121072522.16582.qmail@comp2> # From: # # The from and the return-path should match # The from host and the message-id host should match header __FROM_SENDER ALL =~ m'Return-Path:\s+<([^\n>]+)>.*\nFrom:(?:[^<\n]+<\1>|\s+\1$)'si header __NULL_SENDER Return-Path =~ /<>/ metaNOT_FROM_SENDER !__FROM_SENDER && !__NULL_SENDER score NOT_FROM_SENDER 1 describeNOT_FROM_SENDER Not from putative sender # Return-Path: # Message-ID: <7a9a01c85ca2$0fcbc910$c0a80102@Ricky> header __SENDER_MSGID ALL =~ m'Return-Path:[^\@\n]+\@([^>.]+).*\nMessage-Id:[^\@\n]+\@[\w.]{0,30}\1'si meta NOT_SENDER_MSGID !__SENDER_MSGID && !__NULL_SENDER score NOT_SENDER_MSGID 0.5 describe NOT_SENDER_MSGID Sender host doesn't match message-id host