Sv: whast is ncv.microsoft.com for?

2023-06-02 Thread Anders Gustafsson 
See: 
https://www.darkreading.com/cloud/unusual-microsoft-365-phishing-efax-compromised-dynamic-voice-account

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> "Pedro David Marco via users"  2023-06-02 
>>> 14:07 >>>
Hi all,
We are receiving tons of Phishing pointing to ncv.microsoft.com/
I have found no MS documentation about what "ncv" is used for???  does anyone 
know it, please?  what is it?

Pete.

Sv: Re: LANSET, do they create anything but SPAM?

2021-04-13 Thread Anders Gustafsson 
Examples: https://pastebin.com/pF6Nmquc

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Matus UHLAR - fantomas  2021-04-12 12:13 >>>
On 12.04.21 11:41, Anders Gustafsson wrote:
>A LOT of the SPAM that is not blocked directly by RBLs seem to originate from 
>LANSET Corporation. Are they
a
>known spamsource?

do you have examples?

‑‑ 
Matus UHLAR ‑ fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ 
Warning: I wish NOT to receive e‑mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]

Sv: Re: LANSET, do they create anything but SPAM?

2021-04-12 Thread Anders Gustafsson 
I tried to send you exemples earlier, but your spam filter blocked my email.

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Matus UHLAR - fantomas  12.04.2021 12:13 >>>
On 12.04.21 11:41, Anders Gustafsson wrote:
>A LOT of the SPAM that is not blocked directly by RBLs seem to originate from 
>LANSET Corporation. Are they
a
>known spamsource?

do you have examples?

‑‑ 
Matus UHLAR ‑ fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ 
Warning: I wish NOT to receive e‑mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]

LANSET, do they create anything but SPAM?

2021-04-12 Thread Anders Gustafsson 
A LOT of the SPAM that is not blocked directly by RBLs seem to originate from 
LANSET Corporation. Are they a
known spamsource?

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND

Re: Sv: Re: Legitimate message being flagged as spam

2020-11-30 Thread Anders Gustafsson 
True. Thanks for pointing that out.

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Benny Pedersen  2020-11-30 16:17 >>>
spamassassin ‑t test‑mail.eml | less always works no matter how 
spamassassin is integrated

Sv: Re: Legitimate message being flagged as spam

2020-11-30 Thread Anders Gustafsson 
It depends on how you have it set up. With what email system are you using it?

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Daryl Rose  2020-11-30 15:27 >>>
How do I get the SA headers?

Thank you.

Daryl

On Sun, Nov 29, 2020 at 10:32 AM Martin Gregorie 
wrote:

> Showing us the SA headers and hits would be a good idea: without them we
> don't know why SA rejected the mail.
>
> I notice that domain in the Message-ID is ficticious may not be
> significant, but I usually think this is suspicious.
>
> Martin
>
>
> On Sun, 2020-11-29 at 09:40 -0600, Daryl Rose wrote:
> > I get an email/receipt from a vendor on a payment made.  This message
> > continuously gets flagged as spam even though I've added it to the
> > whitelist_from.cf list.
> >
> > Received: (qmail 26946 invoked by uid 30297); 27 Nov 2020 20:52:17
> > -
> > > Received: from unknown (HELO p3plibsmtp02-
> > > 04.prod.phx3.secureserver.net)
> > >  ([68.178.213.4])
> > >   (envelope-sender
> > >  @sendgrid.net>)
> > >   by p3plsmtp23-04-26.prod.phx3.secureserver.net (qmail-
> > > 1.03) with
> > >  SMTP
> > >   for ; 27 Nov 2020 20:52:17 -
> > > Received: from o1.3nn.shared.sendgrid.net ([167.89.100.129])
> > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
> > > (Client did not present a certificate)
> > > by CMGW with ESMTP
> > > id ikj3kLwOeFeQXikj3kiQrL; Fri, 27 Nov 2020 13:52:17 -0700
> > > X-CMAE-Analysis: v=2.4 cv=SdYyytdu c=1 sm=1 tr=0 ts=5fc16701 b=1
> > > cx=a_idp_nop
> > >  a=d87GDerR7hnUjA61tTL9RQ==:117 a=d87GDerR7hnUjA61tTL9RQ==:17
> > >  a=kj9zAlcOel0A:10 a=zPYWiABU:8 a=5-f5ixlAKy49-4MjWEkA:9
> > >  a=O-7aY5Sf57aUu7p3:21 a=_W_S_7VecoQA:10 a=CjuIK1q_8ugA:10
> > > a=5LfDJFqq-uUA:10
> > >  a=AWL3az150N33eOPX4RKm:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22
> > > a=UDnyf2zBuKT2w-IlGP_r:22
> > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> > > d=sendgrid.net;
> > > h=from:subject:mime-version:to:content-type:content-transfer-
> > > encoding;
> > > s=smtpapi; bh=5/eVCwWUZDl73ybzUYFmyMNdYNgvUvrvS9S5NJHu8QU=;
> > > b=kDKnSU9Bb2Mi5khPiwjinzdlOorchkBuNfEWHSiqVeWqCaZPHmztDB3ZeQXPLVkVbL
> > > uH
> > > 6NgvFXajs2aidTnh9bSKSMn4RaTPC+nvQU4DxFoXj0dL9yy9rjBGsdmS0BBD6+qzBl6g
> > > Si
> > > i2UwAMxRGXKbODjK5T5Ll1us3XKXKt9cI=
> > > Received: by filterdrecv-p3iad2-5dc87598f5-8bxxp with SMTP id
> > >  filterdrecv-p3iad2-5dc87598f5-8bxxp-19-5FC16700-AD
> > > 2020-11-27 20:52:16.878084415 + UTC m=+951689.287978429
> > > Received: from spiderdoor.com (unknown)
> > > by ismtpd0118p1mdw1.sendgrid.net (SG) with ESMTP
> > > id ceyKf2F5QpyH7v63ZKS3nA
> > > Fri, 27 Nov 2020 20:52:16.783 + (UTC)
> > > Date: Fri, 27 Nov 2020 20:52:16 + (UTC)
> > > From: no-re...@spiderdoor.com 
> > > Message-ID: <5fc1670079f34_26fd3171828...@api1.mail>
> > > Subject: Payment Receipt for Unit G030 - paid from SpiderApp
> > > Mime-Version: 1.0
> > > X-SG-EID:
> > >
> > >  =?us-
> > > ascii?Q?nNFctdm0BWd6iTjLSzehWYRyQOg6=2FUycD+ddLrh9vGVcvZBTHPJYDTCViD
> > > qyYQ?=
> > >  =?us-ascii?Q?Li3bEIOOksE35=2FhSgezGSc37DN46Fkbxk1TO9E8?=
> > >  =?us-ascii?Q?MGQPgTWt6k58DhiRQTG0=2F+79xc=2FO7jtyaG0XkLO?=
> > >  =?us-ascii?Q?1DjUXyElg+pd9Ry=2Fm1Wy7CmJWR0I1zJgLk=2FUjTC?=
> > >  =?us-ascii?Q?=2F7EUOycJlpjn1eLS5JSN9MBpwsXNk7EKGYPvDxO?=
> > >  =?us-ascii?Q?duJHjPbILEuJJjx1g=3D?=
> > > To: i...@myspace.rent, 
> > > X-Entity-ID: eEuAPys4acQ9ere1FZlp6A==
> > > Content-Type: text/html; charset=us-ascii
> > > Content-Transfer-Encoding: 7bit
> > > X-CMAE-Envelope:
> > >
> > >  MS4xfLrAfEKlWNG6dcz1a05VWlMXnGyOE7soLGjybMz1QFzvpZ8a8cRDyTGNbMY9ezX
> > > 311xKb9zb5aWg3AtH7xkCUlT7kaAYASl+bOfJ3EEdSfKKIoPXjO+i
> > >
> > >  gjrerNiIxiRiWOcLF0BuxQKyIc/5BN0U4rxx20N0k1kPbaXyR06Ty99IgAWy9imxFxs
> > > ms0GP03MmGWur7XyGwMcP6r/JKJ3ntGwGN1Diolw7WC+ywjp9VBM5
> > >  X6m7dicNVVVO+LUx/qLWyQ==
> > > X-Nonspam: None
> > >
> > >
> > >
> > Any idea why it gets flagged and what rule I need to put in place to
> > prevent it from happening?
> >
> > Thank you.
> >
> > Daryl
>
>

Am I being paranoid? Postcard?

2020-11-10 Thread Anders Gustafsson 
I know it is a bit off-topic, but has anyone seen something like this:

"Greetings,

My daughter collects printed postal cards from different countries. We are from 
Russia.
I hesitate to ask, but could you send a printed postcard from Finland?
I would like send you the postcard from our county if you like !
Await for your kind response.
In deepest sympathy,
Elena.
"

This could naturally be completely legit, but it was sent to the company info 
adress which is not advertised
anywhere. It is also a bit odd that it does not mention where to send it. Had 
it been me, had I written where
to send this postcard. Could it be some type of probe?

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND

Spam from Turkey?

2020-08-30 Thread Anders Gustafsson 
Hi!

Over the last months the real egregious spammers have all been from Turkish 
ISPs. Had 15+ of them during this
morning from Meric Internet Teknolojileri A.S. anyone seen this as well?

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND

What am I dping wrong as my whitelit does not seem to work?

2020-01-30 Thread Anders Gustafsson 
Hi!

In /etc/mail/spamassassin/local.cf I have, among other things:

whitelist_from *.powersystemsdesign.com

Still mails from them are flagged as SPAM:

Content analysis details:   (5.3 points, 5.0 required)

 pts rule name  description
 -- --
-1.9 BAYES_00   BODY: Bayes spam probability is 0 to 1%
[score: 0.]
 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
   [Blocked - see ]
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
background
 0.8 RDNS_NONE  Delivered to internal network by a host with no rDNS
 0.1 TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only
 2.1 NORDNS_LOW_CONTRASTNo rDNS + hidden text

sender is: newslet...@powersystemsdesign.com

Rule to catch a certain email adress?

2019-11-28 Thread Anders Gustafsson 
Assume I want to give extra points to e-p...@pedago.fi? This is our
adress as given on our wesite so many spammers harvest that. I waht to
bump it sligtly, but have been unable to write a regexp that catches it.
Can anyone help?


>>> RW  2019-11-28 03:30 >>>
On Wed, 27 Nov 2019 12:59:47 +0100
Tobi  wrote:

> Hi,
> 
> is there any specific reason why the two tags mentioned in subject
are
> not set in SA? It took me a while to find out why an askdns test was
> not running. The test relies on _LASTEXTERNALRDNS_ but after running
> with ‑‑debug I found that those tags are not set by SA.


What version are you running? I just tried adding _LASTEXTERNALRDNS_ 
in
a header on 3.4.2 and it worked.

Can someone explain how to read Bayes stats?

2019-11-27 Thread Anders Gustafsson 
Ie:


pamir:~ # sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0   3184  0  non-token data: nspam
0.000  0  17298  0  non-token data: nham
0.000  0 164549  0  non-token data: ntokens
0.000  0 1553643652  0  non-token data: oldest atime
0.000  0 1574862537  0  non-token data: newest atime
0.000  0 1574856320  0  non-token data: last journal sync atime
0.000  0 1574848041  0  non-token data: last expiry atime
0.000  0  0  0  non-token data: last expire atime delta
0.000  0  0  0  non-token data: last expire reduction 
count

I had SA running before, but hd to take a break because of upgrades. I have not 
had the chance yet to collect over 200 SPAM/HAM messages for training.

-- 
Anders Gustafsson
Engineer, CNI, CNE6, ASE
Pedago, The Aaland Islands (N60 E20)
www.pedago.fi
phone +358 18 12060
mobile +358 40506 7099

Calling SA from a C program?

2019-11-22 Thread Anders Gustafsson 
Excuse me if this is off-topic, but I want to call SA to process email 
messages. I have written a C-program that receives messages from our mail 
system which has the ability to put received emails i a "third-party" directory 
for processing.

Right now am I calling SA by making a simple system() call, but I thought it 
might be more efficient to run spamd and call it.

I have not been able to find any docs for this though?

Any ideas?

-- 
Anders Gustafsson
Engineer, CNI, CNE6, ASE
Pedago, The Aaland Islands (N60 E20)
www.pedago.fi
phone +358 18 12060
mobile +358 40506 7099

Sv: Re: Rule for a link with an numeric IP in body?

2018-10-29 Thread Anders Gustafsson 
Thanks. I hd some issues installing 3.4, libc conflict IIRC so I Installed 3.3, 
but I have been planning to upgrade. I guess I will jut download the source 
tarball and build it on the system.


FWIW this system is not facing the internet. The MTA deposits incoming main 
into a folder where sa picks it up, processes and dumps into another, where the 
MTA picks it up.

Thanks for the ponters. I will have a peek.


>>> "Bill Cole"  2018-10-29 19:08 >>>
Do not run SpamAssassin 3.3.x. It is not safe. There have been multiple 
serious security bugs fixed in the 3.4.x series.

Rule for a link with an numeric IP in body?

2018-10-29 Thread Anders Gustafsson 
Is there such a rule already in 3.3.x? I would ideally want a version of that 
that adds to the spam score if it sees a x.x.x.x/unsubscribe link, possibly 
translated.

Asking here as regexps are not really my strong side.

-- 
Anders Gustafsson
Engineer, CNI, CNE6, ASE
Pedago, The Aaland Islands (N60 E20)
www.pedago.fi
phone +358 18 12060
mobile +358 40506 7099