Re: In anyone else getting 325KB spams from cont...@cron-job.org?
On 2017-09-15 13:32, RW wrote: > The default is 500kB for spamc, 256kB is a default for sa-learn. I have asked this before: Does this mean 500 * 1000 bytes or 512 * 1024 bytes, or something else still? (this is relevant when configuring other stuff which only understands straight byte counts with no suffixes) -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
On Fri, 15 Sep 2017 00:39:35 +0100 Sebastian Arcus wrote: > I had to add on my systems a while ago an > /etc/mail/spamassassin/spamc.conf containing: > > -s 200 > > to increase the maximum size of emails passed to SA. It seems some > spammers have cottoned onto the fact that 256KB is still hardwired > somewhere in SA, and started sending spam just above that threshold > to bypass the filter. The default is 500kB for spamc, 256kB is a default for sa-learn.
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
On 14/09/17 19:59, Loren Wilton wrote: Should be easy to block. Just block the cron-job.org domain. As someone else mentioned that address is an obvious joe-job. And scoring it high doesn't help that much. It worked for the first few weeks, then they went to contact@ to presumably get around that. I was surprised to see in the last few that they had gone back to the cron-job.org domain for the fake sender. For some reason these are bypassing SA on my system, I suspect due to the size. I had to add on my systems a while ago an /etc/mail/spamassassin/spamc.conf containing: -s 200 to increase the maximum size of emails passed to SA. It seems some spammers have cottoned onto the fact that 256KB is still hardwired somewhere in SA, and started sending spam just above that threshold to bypass the filter.
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
Hm, meant this to go to the list, too. The misdirection is part of why I am so quiet on the list, which is why I forget the misbehavior, which reinforces the problem when I reenter the list for a discussion. I gotta mess with my .procmailrc file to rewrite the headers for SA list emails, I guess. Then I can pester people better. {O,o} (Been using SA since the dark ages - before 2.20 if I recall correctly.) The fragment of email probably would not base64 decode. It was a fragment from near one of the crossovers in its decorative layout design. This has been going on for a long time now. I catch the spams via other tricks. The "from" headings seem to be less imaginative then they could be. Loren's actual problem of them leaking through goes back in history to the really old days on a really slow old machine. (Hey - it made over 400 days without a reboot during which it was relocated by about 70 miles to a new "home".) Back then processing more than 250k was too time consuming for that itty bitty machine. It has been replaced. But the .procmailrc recipe still included the 250k hard wired in. AND there was no --max-size=. So I corrected these, I thought. Alas I made it --max-size- thanks to a typo probably when blowing my nose thanks to the stuffiness hangover from a remarkably short head cold I had. That is fixed now. But I'm mildly wondering if people are seeing that (real or pseudo) base64 junk, in two parts with the real payload, a URL, stuck between them. {^_^} Joanne On 2017-09-14 15:35, Benny Pedersen wrote: jdow skrev den 2017-09-15 00:16: On 2017-09-14 14:06, Benny Pedersen wrote: Dianne Skoll skrev den 2017-09-14 20:38: https://cron-job.org/en/spam-statement/ They are victims of a joe-job. yes prove that is really is us if it goes, it goes Loren's canny enough to not blacklist an address based on the from address. The common element in the messages he's been receiving is a 325 kb payload and that "from" address. I'm sitting in the same room as him on the same network and despite my incoming spam going up to some 75 to 100/day (fron 1/4 of that last year) I am not getting those specific spams. spamassassin here scans up to 1024K, so this could be first step for recipient to make, atleast i found that cron-job.org have valid spf record to reject in mta stage if forged mails from cron-job but if envelope sender is random it not possible to block it in mta stage, if thats the case it would make more sense to make clamav signature for content in this spams to be rejected in sendmail/milter stage i dont know exact spam from them or even seen ham aswell i self scan all mails in spampd so no exections here I get varying lengths and widely varying subjects and from fields. This is a small extract of the body with it's odd visual formatting. (It really shows up if you have line wrapping enabled in a plain text MUA.) aha, encodeing fails ? QYC9LYOXDU89JN94BBNNV5XED3HBHIJJWPNYTM38GKBBEF52G4T4BO6 reny9phehn9n65ibtzjmp8mssof5lq4qkqh5s59l4ezpztqmp1kb8r6c13p SZFCF44OC5IWAUYLFBY8HZE6TCY71DPXYJQLZ2VSLRJLFVSWKP3ERPVK 2o3l61lnch8kfyub9ecnj2uv5oeg1zb2qdmfieeo84hzenq7devn4liwhy E66ALUU4CIGV29JRRU6WPWZC4EI1WCP5M55SOZE8PBM9OH5U7WLUEGW8W 1tsq2nanaolmpm21q164t5o1ry2wc5gcq25q8d72eanj87ep7stgq58wa VPNGHS4AET938S0OH263OGOBK1HKV5NDUMJPVDQALPP1XXM9YFGG7YH7ZR cteeydhbt8ak7ycksvpvy8yeu3db3wf9iazx7n8jo21xdhd5vafc24l0 V8K7ENHU8RAWL9WPPHHAC0ZVTWXL8R98GAJX5CDH7EKWZC64TM4VHVPTA86 chy2kxu9196hwzvgedt7giw8iq22e89gfymg2sf4s2nebuorx7pqjtq 3SO1H0IYX7COZLSMVCGAS4N94AAV7XIWK0FE7WVDPO2W68DJM0FVQE3F0MP1 With a fixed width font it looks almost like overlapping bat wings or saw-tooth waveforms when laid on its side. base64 fails ? :=) {^_^}
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
Dianne Skoll skrev den 2017-09-14 20:38: https://cron-job.org/en/spam-statement/ They are victims of a joe-job. yes prove that is really is us if it goes, it goes
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
On 09/14/2017 01:37 PM, Dianne Skoll wrote: On Thu, 14 Sep 2017 11:27:27 -0700 "Loren Wilton"wrote: Other than being obvious spam, they seem to be set up as though they were legitimate commercial mailing list stuff, often containing things like contact-id and the like in the links. Is anyone else seeing these? A small number. The cont...@cron-job.org address is only in the From: header; the envelope recipients look randomly-generated and sometimes from unrelated domains. Should be easy to block. Just block the cron-job.org domain. blacklist_from *@cron-job.org whitelist_auth *@cron-job.org This should allow messages passing SPF or DKIM and block all others, correct? Regards, Dianne. -- David Jones
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
Should be easy to block. Just block the cron-job.org domain. As someone else mentioned that address is an obvious joe-job. And scoring it high doesn't help that much. It worked for the first few weeks, then they went to contact@ to presumably get around that. I was surprised to see in the last few that they had gone back to the cron-job.org domain for the fake sender. For some reason these are bypassing SA on my system, I suspect due to the size. Loren
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
On Thu, 14 Sep 2017, Dianne Skoll wrote: On Thu, 14 Sep 2017 11:27:27 -0700 "Loren Wilton"wrote: Other than being obvious spam, they seem to be set up as though they were legitimate commercial mailing list stuff, often containing things like contact-id and the like in the links. Is anyone else seeing these? A small number. The cont...@cron-job.org address is only in the From: header; the envelope recipients look randomly-generated and sometimes from unrelated domains. Should be easy to block. Just block the cron-job.org domain. Not to mention that the target URL "proffbuilder DOT com" is listed in several URIBLs. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
Hi, again, Aha... https://cron-job.org/en/spam-statement/ They are victims of a joe-job. Regards, Dianne.
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
On Thu, 14 Sep 2017 11:27:27 -0700 "Loren Wilton"wrote: > Other than being obvious spam, they seem to be set up as though they > were legitimate commercial mailing list stuff, often containing > things like contact-id and the like in the links. > Is anyone else seeing these? A small number. The cont...@cron-job.org address is only in the From: header; the envelope recipients look randomly-generated and sometimes from unrelated domains. Should be easy to block. Just block the cron-job.org domain. Regards, Dianne.
In anyone else getting 325KB spams from cont...@cron-job.org?
For about a month now I've been getting about 30 spams a day that are all in the range of 325KB in size. This is all in two bogus style tags. The message itself is usually just a few links, very offten to proffbuilder.com. The from address is always a random name, but the email address is very often cont...@cron-job.org. Other than being obvious spam, they seem to be set up as though they were legitimate commercial mailing list stuff, often containing things like contact-id and the like in the links. Is anyone else seeing these? Loren