Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-15 Thread Ian Zimmerman 
On 2017-09-15 13:32, RW wrote:

> The default is 500kB for spamc, 256kB is a default for sa-learn.  

I have asked this before:

Does this mean 500 * 1000 bytes or 512 * 1024 bytes, or something else
still?

(this is relevant when configuring other stuff which only understands
straight byte counts with no suffixes)

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-15 Thread RW 
On Fri, 15 Sep 2017 00:39:35 +0100
Sebastian Arcus wrote:


> I had to add on my systems a while ago an 
> /etc/mail/spamassassin/spamc.conf containing:
> 
> -s 200
> 
> to increase the maximum size of emails passed to SA. It seems some 
> spammers have cottoned onto the fact that 256KB is still hardwired 
> somewhere in SA, and started sending spam just above that threshold
> to bypass the filter.

The default is 500kB for spamc, 256kB is a default for sa-learn.

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread Sebastian Arcus 


On 14/09/17 19:59, Loren Wilton wrote:

Should be easy to block.  Just block the cron-job.org domain.


As someone else mentioned that address is an obvious joe-job. And 
scoring it high doesn't help that much. It worked for the first few 
weeks, then they went to contact@ to presumably get 
around that. I was surprised to see in the last few that they had gone 
back to the cron-job.org domain for the fake sender.


For some reason these are bypassing SA on my system, I suspect due to 
the size.


I had to add on my systems a while ago an 
/etc/mail/spamassassin/spamc.conf containing:


-s 200

to increase the maximum size of emails passed to SA. It seems some 
spammers have cottoned onto the fact that 256KB is still hardwired 
somewhere in SA, and started sending spam just above that threshold to 
bypass the filter.

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread jdow 
Hm, meant this to go to the list, too. The misdirection is part of why I am so 
quiet on the list, which is why I forget the misbehavior, which reinforces the 
problem when I reenter the list for a discussion. I gotta mess with my 
.procmailrc file to rewrite the headers for SA list emails, I guess. Then I can 
pester people better. {O,o} (Been using SA since the dark ages - before 2.20 if 
I recall correctly.)


The fragment of email probably would not base64 decode. It was a fragment from 
near one of the crossovers in its decorative layout design. This has been going 
on for a long time now. I catch the spams via other tricks. The "from" headings 
seem to be less imaginative then they could be.


Loren's actual problem of them leaking through goes back in history to the 
really old days on a really slow old machine. (Hey - it made over 400 days 
without a reboot during which it was relocated by about 70 miles to a new 
"home".) Back then processing more than 250k was too time consuming for that 
itty bitty machine. It has been replaced. But the .procmailrc recipe still 
included the 250k hard wired in. AND there was no --max-size=. So I 
corrected these, I thought. Alas I made it --max-size- thanks to a typo 
probably when blowing my nose thanks to the stuffiness hangover from a 
remarkably short head cold I had.


That is fixed now. But I'm mildly wondering if people are seeing that (real or 
pseudo) base64 junk, in two parts with the real payload, a URL, stuck between them.


{^_^}   Joanne

On 2017-09-14 15:35, Benny Pedersen wrote:

jdow skrev den 2017-09-15 00:16:

On 2017-09-14 14:06, Benny Pedersen wrote:

Dianne Skoll skrev den 2017-09-14 20:38:


https://cron-job.org/en/spam-statement/
They are victims of a joe-job.


yes prove that is really is us

if it goes, it goes


Loren's canny enough to not blacklist an address based on the from
address. The common element in the messages he's been receiving is a
325 kb payload and that "from" address. I'm sitting in the same room
as him on the same network and despite my incoming spam going up to
some 75 to 100/day (fron 1/4 of that last year) I am not getting those
specific spams.


spamassassin here scans up to 1024K, so this could be first step for recipient 
to make, atleast i found that cron-job.org have valid spf record to reject in 
mta stage if forged mails from cron-job


but if envelope sender is random it not possible to block it in mta stage, if 
thats the case it would make more sense to make clamav signature for content in 
this spams to be rejected in sendmail/milter stage


i dont know exact spam from them or even seen ham aswell

i self scan all mails in spampd so no exections here


I get varying lengths and widely varying subjects and from fields.
This is a small extract of the body with it's odd visual formatting.
(It really shows up if you have line wrapping enabled in a plain text
MUA.)


aha, encodeing fails ?


QYC9LYOXDU89JN94BBNNV5XED3HBHIJJWPNYTM38GKBBEF52G4T4BO6
reny9phehn9n65ibtzjmp8mssof5lq4qkqh5s59l4ezpztqmp1kb8r6c13p
SZFCF44OC5IWAUYLFBY8HZE6TCY71DPXYJQLZ2VSLRJLFVSWKP3ERPVK
2o3l61lnch8kfyub9ecnj2uv5oeg1zb2qdmfieeo84hzenq7devn4liwhy
E66ALUU4CIGV29JRRU6WPWZC4EI1WCP5M55SOZE8PBM9OH5U7WLUEGW8W
1tsq2nanaolmpm21q164t5o1ry2wc5gcq25q8d72eanj87ep7stgq58wa
VPNGHS4AET938S0OH263OGOBK1HKV5NDUMJPVDQALPP1XXM9YFGG7YH7ZR
cteeydhbt8ak7ycksvpvy8yeu3db3wf9iazx7n8jo21xdhd5vafc24l0
V8K7ENHU8RAWL9WPPHHAC0ZVTWXL8R98GAJX5CDH7EKWZC64TM4VHVPTA86
chy2kxu9196hwzvgedt7giw8iq22e89gfymg2sf4s2nebuorx7pqjtq
3SO1H0IYX7COZLSMVCGAS4N94AAV7XIWK0FE7WVDPO2W68DJM0FVQE3F0MP1

With a fixed width font it looks almost like overlapping bat wings or
saw-tooth waveforms when laid on its side.


base64 fails ? :=)



{^_^}

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread Benny Pedersen 

Dianne Skoll skrev den 2017-09-14 20:38:


https://cron-job.org/en/spam-statement/
They are victims of a joe-job.


yes prove that is really is us

if it goes, it goes

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread David Jones 

On 09/14/2017 01:37 PM, Dianne Skoll wrote:

On Thu, 14 Sep 2017 11:27:27 -0700
"Loren Wilton"  wrote:


Other than being obvious spam, they seem to be set up as though they
were legitimate commercial mailing list stuff, often containing
things like contact-id and the like in the links.



Is anyone else seeing these?


A small number.  The cont...@cron-job.org address is only in the From:
header; the envelope recipients look randomly-generated and sometimes
from unrelated domains.

Should be easy to block.  Just block the cron-job.org domain.



blacklist_from *@cron-job.org
whitelist_auth *@cron-job.org

This should allow messages passing SPF or DKIM and block all others, 
correct?




Regards,

Dianne.



--
David Jones

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread Loren Wilton 

Should be easy to block.  Just block the cron-job.org domain.


As someone else mentioned that address is an obvious joe-job. And scoring it 
high doesn't help that much. It worked for the first few weeks, then they 
went to contact@ to presumably get around that. I was 
surprised to see in the last few that they had gone back to the cron-job.org 
domain for the fake sender.


For some reason these are bypassing SA on my system, I suspect due to the 
size.


   Loren

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread David B Funk 

On Thu, 14 Sep 2017, Dianne Skoll wrote:


On Thu, 14 Sep 2017 11:27:27 -0700
"Loren Wilton"  wrote:


Other than being obvious spam, they seem to be set up as though they
were legitimate commercial mailing list stuff, often containing
things like contact-id and the like in the links.



Is anyone else seeing these?


A small number.  The cont...@cron-job.org address is only in the From:
header; the envelope recipients look randomly-generated and sometimes
from unrelated domains.

Should be easy to block.  Just block the cron-job.org domain.


Not to mention that the target URL "proffbuilder DOT com" is listed in several 
URIBLs.



--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread Dianne Skoll 
Hi, again,

Aha...

https://cron-job.org/en/spam-statement/

They are victims of a joe-job.

Regards,

Dianne.

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread Dianne Skoll 
On Thu, 14 Sep 2017 11:27:27 -0700
"Loren Wilton"  wrote:

> Other than being obvious spam, they seem to be set up as though they
> were legitimate commercial mailing list stuff, often containing
> things like contact-id and the like in the links.

> Is anyone else seeing these?

A small number.  The cont...@cron-job.org address is only in the From:
header; the envelope recipients look randomly-generated and sometimes
from unrelated domains.

Should be easy to block.  Just block the cron-job.org domain.

Regards,

Dianne.

In anyone else getting 325KB spams from cont...@cron-job.org?

2017-09-14 Thread Loren Wilton 
For about a month now I've been getting about 30 spams a day that are all in 
the range of 325KB in size. This is all in two bogus style tags. The message 
itself is usually just a few links, very offten to proffbuilder.com. The 
from address is always a random name, but the email address is very often 
cont...@cron-job.org.


Other than being obvious spam, they seem to be set up as though they were 
legitimate commercial mailing list stuff, often containing things like 
contact-id and the like in the links.


Is anyone else seeing these?

   Loren