Re: KAM pccc URIBL questions
On 10/7/2013 10:37 PM, Rob McEwen wrote: On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote: This is harming more then it does good. But its your list so your rules ;) I would not want to use it to filter my mails with it but hey Since this is in its early development, it is probably too early to judge it too much. But from what I've read in this discussion, it is light years away from the current major URI/domain blacklists out there (SURBL, URIBL, ivmURI, DBL)... BUT... Kevin is brilliant so who knows what it might eventually become? Thanks. You're quite kind. I've helped with some of the other lists but what I'm trying to focus on is tools and methods to identify spam and spammers. ALSO...There is an argument that a more-aggressive-than-normal AND low-scoring URI list may be helpful? In that sense, URIBL.com has traditionally been considered slightly more aggressive than the other lists mentioned above... SLIGHTLY! Maybe something much MORE aggressive, intended for very low scoring... would be useful? (this would be situations where bayes or checksum content filters add points to the spam score combined with such an aggressive URI list putting the message over the top... but then skipping blocking a legit message with this URI because it didn't have the other content points added and thus didn't score high enough--at least that is the idea) I think some aggression is needed because as DFS and others put it, they need an impetus to change their methods. For example, we can't just allow companies carte-blanche to spam and give commissions to spammers but then claim they aren't spammers by just saying it's our 3rd party partners). The good news is that cvent took notice of the blocking and contacted me offlist so I've removed their domains from the RBL while I discuss things with them in good faith towards improving their anti-spam procedures. Regards, KAM
Re: KAM pccc URIBL questions
On 10/7/2013 7:53 PM, Martin Gregorie wrote: If, on inspection, there is any reliable way to distinguish spam from ham in the stream coming from cvent, you could drop the RBL score down a lot (0.01 ?) and write a meta that blocks just the spam. Perhaps but I do think there is some measure of a need for negative consequences for many firms to be reliable and conscientious netizens. I'm not out to get cvent but I do have some pretty hard evidence they have a spamming problem. I'm very interested in what they say about it and I'm giving them the opportunity to explain. regards, KAM
Re: KAM pccc URIBL questions
On 10/7/2013 7:38 PM, Alex wrote: How would another RBL handle a company that I have personally received evidence of spamming even if it causes FPs? Apparently none of the other RBLs consider it spam. Well then the RBL I'm envisioning might be different. But my goal is to get framework done and a Proof of Concept and hand it over to the project so it could evolve. I've asked the list a few times before about similar companies, such as verticalresponse.com, which are also mass e-marketers, and I doubt very much whether all recipients have signed up for their newsletters or webinars. There wasn't really any consensus on the list for this sender either. I've left them off my blacklist for now, despite seeing messages pertaining to hair care and gutter cleaning from their customers. They're also not on any public blocklists. I haven't seen any samples for them but I have some techniques I use with things like specific email addresses, etc. that make misuse very apparent. I often see spams that appear to be database compromises because of this. Just looking at a few days sampling, I can spot: eWeek Seagate MotleyFool Joomla Shack Dropbox DynDNS Online Sports Red Envelope WhitePaperWizard SecurePayNet/Wild West Domains That's a 5 minute list and there could be explanations beyond database compromises. But I'm sure people like DFS and those who use one-off/specific email addresses for vendors can tell you about when they see supposedly private information get out with no notification to those affected. And I'm not listing the companies that I've contacted who have appropriately gone Oh Crap! and handled it professionally. Some like SecurePayNet handled it very unprofessionally in my opinion wasting time of people like me just trying to help them realize they have a major security risk. Lead a horse to water... How many of those are now on the dbl or zen? Spot checking URIBL_DBL shows some overlap but it's very minimal when the entries are added. As the days go by, the overlap appears higher. I only have __RCVD_IN_ZEN so I don't have logging of subtests so I can't easily check overlap I agree it has collateral damage. You can explain to them that the emails can be found marked as spam because the company running the events are spammers is my main response. And searching more about cvent.com just makes me question their practices and others (such as http://www.pissedconsumer.com/reviews-by-company/cvent.html) have confirmed what I have seen which is harvesting of Whois data and spamming it. Yeah, I saw that too. Their response to me would be to figure out a way to only let their legitimate stuff through. I could probably also make some noise to get a contact there through my customer, but it would probably only lead to lip service. I'd never be able to get them to switch providers, and as we've seen with verticalresponse, the alternatives have issues too. I am a bit jaded as well but I have a nice email from someone at cvent to go deal with so I'll keep my faith in humanity a bit longer. I just figured that since it's immediately being dropped, perhaps sending them a bounce would help to control the number you receive from them, if not just firewall their block outright. Or just let them know what they have to scrap out of their lists to hide the problem... Yes, it's nice to stop spam but I'm reaching for a higher goal to stop spammers. That's because you don't do business with them, so anything received is unsolicited. In my case, corporate communications are actually being blocked. Conjecture that's untrue. I blocked them noting the collateral damage but again, on our system, we do not block mail, we receive and it's tagged as spam allowing a user to manually intervene and get the email. We encourage them to contact the company to complain and/or switch to more reputable vendors. Regards, KAM
Re: KAM pccc URIBL questions
On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote: Apparently other RBL's care more about colleteral damage. I would not list this. You would not list microsoft.com neither if you accidently get a spam that you feel itnt appropriate. This is harming more then it does good. But its your list so your rules ;) I would not want to use it to filter my mails with it but hey ;) Hi Raymond, I'm not telling people to use the list to block and I'm admitting I have high scores which some might want to seriously dial down. And I think I will have to consider the collateral damage and document it for those interested in the list. But to answer the theoretical question, if I got multiple spams over a course of weeks from employees at Microsoft, I would consider blocking them because it can show a culture of spamminess. Would I block gmail or their outlook service for the same reason, no. But I continually have problems with Google Groups that are abused, especially in Arabic and damned if I can get anyone at Google to give a damn. So if I thought blocking google groups might get some attention on the matter, I would consider it. This follows the same reasoning. The emails I have are not from 3rd parties or customers of a system but from people working at the system itself. regards, KAM
Re: KAM pccc URIBL questions
On Wed, 2013-10-09 at 13:18 -0400, Kevin A. McGrail wrote: On 10/7/2013 7:53 PM, Martin Gregorie wrote: If, on inspection, there is any reliable way to distinguish spam from ham in the stream coming from cvent, you could drop the RBL score down a lot (0.01 ?) and write a meta that blocks just the spam. Perhaps but I do think there is some measure of a need for negative consequences for many firms to be reliable and conscientious netizens. I'm not disagreeing with you: it would be nice if the likes of cvent would police their subscribers better, ideally by running subscriber output streams through SA. My suggestion was meant for the OP rather than generally was made on the assumption that cvent was not going to listen to any criticism or police its subscribers. I'm not out to get cvent but I do have some pretty hard evidence they have a spamming problem. I'm very interested in what they say about it and I'm giving them the opportunity to explain. A low-cost solution would be for their outgoing MTA to add a header to tag outgoing messages with identify of the subscriber. This is unforgeable since it would be added by the sending smarthost and would make it easy to block spamming cvent subscribers with a meta-rule while leaving other mail sources alone. It would also leave the definition of a 'spammer' to the receiving MTA. This has benefits since some message content is not universally regarded as spam. Cheers, Martin
Re: KAM pccc URIBL questions
On Wed, 09 Oct 2013 19:31:41 +0100 Martin Gregorie mar...@gregorie.org wrote: My suggestion was meant for the OP rather than generally was made on the assumption that cvent was not going to listen to any criticism or police its subscribers. Surely a mailing list provider that does not police its subscribers absolutely deserves to be blocked? A low-cost solution would be for their outgoing MTA to add a header to tag outgoing messages with identify of the subscriber. Mailing list providers have no incentive to do this unless/until they start getting blocked. It's simple economics. Regards, David.
KAM's email to Cvent Re: KAM pccc URIBL questions
Below is a copy of the email from Cvent and my response with some minor redaction so as to keep who I'm in discussion with private unless they want to take the discussion public. regards, KAM Sorry for the delay on this response but I wanted to give it some serious attention especially as the chair of the SpamAssasin project. As part of that project, I have an onus to the foundation to maintain transparency and discuss this on the mailing list (See http://theapacheway.com/ for more about this.) For now, I've cc'd the project management committee and will forward a copy of the email removing your name but welcome this discussion to continue on the User's forum for SpamAssassin. I think if you can show you are working in good faith to fix the issues, you will see the anti-spam community rally behind you. First off, I have removed your current RBL entry from the list in discussion based solely on the fact that you have reached out in good faith on a dialogue about the issue. Thank you for taking the time to do that. I look very much forward to your response and will keep an open mind. Second, I will give you a portion of the evidence I have. However, to me, this is less about fixing specific issues of spam and instead fixing either the culture or architecture that is allowing this systemic abuse. For example, I can see some abuse by one of your customers: vette:Aug 21 10:51:40 2013 (15216) TheBoard post from webin...@crowdcompass.com held, message-id=0eb40c9d-3fbf-41e9-bba0-b6affc1a9af4-x...@cventinvite.com: Post by non-member to a members-only list vette:Aug 28 10:53:36 2013 (15216) TheBoard post from webin...@crowdcompass.com held, message-id=4ca68d68-c5ad-4c87-a0a3-854f5afe38c8-x...@cventinvite.com: Post by non-member to a members-only list vette:Sep 03 10:51:55 2013 (15216) TheBoard post from webin...@crowdcompass.com held, message-id=79c0efae-c209-492c-ac2d-48ada0b3bebd-x...@cventinvite.com: Post by non-member to a members-only list This is something where sometimes your only recourse is canceling the customers account or limiting their email abilities. However, I've also seen cases where companies have 'free trials' or poor credit card fraud procedures which lead to signing up for accounts they plan to run the wheels off. In these cases, we need to see a systemic change in that procedure. In other cases, we've seen companies blame everything on partners who receive commissions and therefore they aren't responsible for the activities of the partner. Well from our perspective they are responsible. We follow one definition of spam from Chris Santere which is Spam is about Consent not Content. If the consent is there, it's not spam. And I am a capitalist and believe things like someone purchasing from your firm is a de facto consent to send necessary documents (receipts, terms of service, follow-up pings, etc.) UNTIL that customer asks to be removed or you haven't contacted them in a protracted period of time. Unfortunately, in the next two examples, I have received unsolicited emails from *Darrell Gehrt*purporting to be the Division Head, Web Surveys at your firm. Checking linkedin and your firm's blog concur. And I also have unsolicited emails from *Meg Stensrud*purporting to be a Regional Sales Manager at your firm. Again, linkedin appears to confirm this information and the latter is the one that appears to have used scraped whois data tied to an address where they have incorrectly tied me to springvalley law group. Two example headers are available at http://pastebin.com/Q0knc6ei Interestingly, http://washington.oneyellow.com/ID/1277768 shows springvalley law group at 5335 Wisconsin Ave NW , # 400, Washington, DC 20015 Local Phone: (202)895-1648 Fax: (202)966-6455. That address USED to be Luse Lehman Gorman Pomerenk and Schick which I have been associated with in whois records but this shows scraping and cross-database use that points to a foundational issue and misuse of database mining in marketing campaigns at your firm. I should also mention that email address hasn't been used actively in over 10 years which shows a very protracted length of time for legitimate business. But perhaps you can defend this with some provenance on the email addresses. But I'm sure you won't be able to show anything with Springvalley Law Group. In the end, I won't be shocked at all if the best you can find out is you have some people in your marketing department doing some very shady marketing. The real question is what you can do to fix the issue. If we continue to see unwanted email, we may list them again. We rely on your proactive monitoring of your customers (and employees/agents/contracts/etc.) to ensure that this won't happen; the onus should not be on us to report spam to you. regards, KAM On 10/7/2013 2:45 PM, XXX wrote: Hello Kevin McGrail, Your posting today on the SpamAssassin users list was
Re: KAM pccc URIBL questions
On Mon, 7 Oct 2013 19:38:38 -0400 Alex mysqlstud...@gmail.com wrote: I've asked the list a few times before about similar companies, such as verticalresponse.com, which are also mass e-marketers, and I doubt very much whether all recipients have signed up for their newsletters or webinars. My preference is to list quasi-legitimate spammers as spammers or at the very least as a mixed source. Companies like verticalresponse.com et al. have no economic incentive to curb spamming unless they are threatened with a bad reputation. I realize this may not go over well if you have customers who use the service or want to receive mail from it, so a light hand is required. We maintain an (IP-based) RBL and most of these quasi-legit spammers end up on the mixed list, which is as the name implies: These IPs are shady but not bad enough to block outright, so we add a couple of points. Regards, David.
Re: KAM pccc URIBL questions
Hi, I've asked the list a few times before about similar companies, such as verticalresponse.com, which are also mass e-marketers, and I doubt very much whether all recipients have signed up for their newsletters or webinars. My preference is to list quasi-legitimate spammers as spammers or at the very least as a mixed source. Companies like verticalresponse.com et al. have no economic incentive to curb spamming unless they are threatened with a bad reputation. I've done that to some extent, and have been moderately successful. I found it competes with some of the whitelists, ironically. I'm assuming this is a service you offer, or would you be able to share your list? Thanks everyone for your help. Thanks, Alex
Re: KAM pccc URIBL questions
On 10/6/2013 7:09 PM, Alex wrote: I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com URIBL. Why is it designed to be a poison pill? It caught cvent.com, causing a bunch of mail to FP. I'm just curious if this URIBL is indeed this trustworthy, if these KAM rules are still used, and how it is working for you? I use those rules ;-) And currently that RBL is in testing stages where I am personally vetting all the data. So I believe the trustability is quite high. Please email if you have questions and we do look at them. cvent-munge.com was added on 9-24 and cventsurveys-munge.com added on 10-1. I personally received the spam from them from what appears to be scraped whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails. So if cvent is legit, they are being abused by people sending spam and I consider them candidates for the list but I'm open to suggestions. I then considered removing the entries but upon checking further, I found more spams from people who work at cvents. And it appears they have scraped my association with a law firm by address in whois (5335 wisconsin avenue) and tied me to Springvalley Law Group. Right address, wrong suite, wrong company, still never had permission to spam me. They are spammers and should be blocked. If you are using them, consider taking your business elsewhere as they support spammers using their system AND they themselves send spam. I am also positive but only from memory that they spam an NPO I work with as well all the time trying to get us to use their services. I also might recommend you consider lowering the scores I am using. I often write poison pill rules that the project would never allow but they are based on careful analysis of my corpora. YMMV and I'm open to feedback as I mentioned. Just don't expect to always like my decisions. Regards, KAM
Re: KAM pccc URIBL questions
Hi Kevin, I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com URIBL. Why is it designed to be a poison pill? It caught cvent.com, causing a bunch of mail to FP. I'm just curious if this URIBL is indeed this trustworthy, if these KAM rules are still used, and how it is working for you? I use those rules ;-) And currently that RBL is in testing stages where I am personally vetting all the data. So I believe the trustability is quite high. Please email if you have questions and we do look at them. cvent-munge.com was added on 9-24 and cventsurveys-munge.com added on 10-1. How about just cvent.com? I've uploaded the headers from one FP here: http://pastebin.com/UDuDcp4F I personally received the spam from them from what appears to be scraped whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails. So if cvent is legit, they are being abused by people sending spam and I consider them candidates for the list but I'm open to suggestions. They're a huge event planning company, but also apparently are email marketers. Somehow I forgot this was your RBL. How many entries are on it? What's your procedure for adding them? I also might recommend you consider lowering the scores I am using. I often write poison pill rules that the project would never allow but they are based on careful analysis of my corpora. YMMV and I'm open to feedback as I mentioned. Just don't expect to always like my decisions. We had one user complain, and after investigating, realized there are hundreds of messages in the quarantine from this sender. They mostly appear to be just e-marketing crap, but there are a few where people have actually planned events and missed their confirmation emails, etc., so I can't just block them. With a poison pill attitude towards them, wouldn't it just be better to reject them outright? Anyway, I'm hoping you could explain your RBL further, because I value your expertise, and would like to take advantage of this, but will probably have to adapt a bit for my environment. Thanks buddy, Alex
Re: KAM pccc URIBL questions
On 10/7/2013 6:18 PM, Alex wrote: How about just cvent.com? I've uploaded the headers from one FP here: http://pastebin.com/UDuDcp4F How would another RBL handle a company that I have personally received evidence of spamming even if it causes FPs? I personally received the spam from them from what appears to be scraped whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails. So if cvent is legit, they are being abused by people sending spam and I consider them candidates for the list but I'm open to suggestions. They're a huge event planning company, but also apparently are email marketers. Agreed. I see the duality issue. I just don't know that I plan to give them any leniency. Somehow I forgot this was your RBL. How many entries are on it? Approximately 1700 for the past 30 days. What's your procedure for adding them? Right now, very manual. We are testing procedures that bring more automation to the research process. I also might recommend you consider lowering the scores I am using. I often write poison pill rules that the project would never allow but they are based on careful analysis of my corpora. YMMV and I'm open to feedback as I mentioned. Just don't expect to always like my decisions. We had one user complain, and after investigating, realized there are hundreds of messages in the quarantine from this sender. They mostly appear to be just e-marketing crap, but there are a few where people have actually planned events and missed their confirmation emails, etc., so I can't just block them. I agree it has collateral damage. You can explain to them that the emails can be found marked as spam because the company running the events are spammers is my main response. And searching more about cvent.com just makes me question their practices and others (such as http://www.pissedconsumer.com/reviews-by-company/cvent.html) have confirmed what I have seen which is harvesting of Whois data and spamming it. With a poison pill attitude towards them, wouldn't it just be better to reject them outright? I don't use any RBLs for rejection, only for scoring. Anyway, I'm hoping you could explain your RBL further, because I value your expertise, and would like to take advantage of this, but will probably have to adapt a bit for my environment. Understood completely and the scores are there for you to override. The RBL is built out of a manually-reviewed corpora of complaints that I cull together from users. The scores reflect that it's seen and approved as being consistent with a spammer. And cvent.com isn't a FP because I've personally review the corpora entry and it's not only scraped, they also added technology to try and make the scraping appear more personal but that technology introduced errors. Whether they are buying lists or doing this internally, the emails I sampled did not come from partners but from people inside the firm. As such I am only gather that they have a piss poor culture of spamming. Regards, KAM
Re: KAM pccc URIBL questions
Hi, How about just cvent.com? I've uploaded the headers from one FP here: http://pastebin.com/UDuDcp4F How would another RBL handle a company that I have personally received evidence of spamming even if it causes FPs? Apparently none of the other RBLs consider it spam. I've asked the list a few times before about similar companies, such as verticalresponse.com, which are also mass e-marketers, and I doubt very much whether all recipients have signed up for their newsletters or webinars. There wasn't really any consensus on the list for this sender either. I've left them off my blacklist for now, despite seeing messages pertaining to hair care and gutter cleaning from their customers. They're also not on any public blocklists. Somehow I forgot this was your RBL. How many entries are on it? Approximately 1700 for the past 30 days. How many of those are now on the dbl or zen? I agree it has collateral damage. You can explain to them that the emails can be found marked as spam because the company running the events are spammers is my main response. And searching more about cvent.com just makes me question their practices and others (such as http://www.pissedconsumer.com/reviews-by-company/cvent.html) have confirmed what I have seen which is harvesting of Whois data and spamming it. Yeah, I saw that too. Their response to me would be to figure out a way to only let their legitimate stuff through. I could probably also make some noise to get a contact there through my customer, but it would probably only lead to lip service. I'd never be able to get them to switch providers, and as we've seen with verticalresponse, the alternatives have issues too. With a poison pill attitude towards them, wouldn't it just be better to reject them outright? I don't use any RBLs for rejection, only for scoring. I just figured that since it's immediately being dropped, perhaps sending them a bounce would help to control the number you receive from them, if not just firewall their block outright. The RBL is built out of a manually-reviewed corpora of complaints that I cull together from users. The scores reflect that it's seen and approved as being consistent with a spammer. And cvent.com isn't a FP because I've personally review the corpora entry and it's not only scraped, they also That's because you don't do business with them, so anything received is unsolicited. In my case, corporate communications are actually being blocked. I'm going to keep a closer eye on them, and manually inspect more of their mail to figure out what to do next. Thanks, Alex
Re: KAM pccc URIBL questions
Hai! How about just cvent.com? I've uploaded the headers from one FP here: http://pastebin.com/UDuDcp4F How would another RBL handle a company that I have personally received evidence of spamming even if it causes FPs? Apparently none of the other RBLs consider it spam. Apparently other RBL's care more about colleteral damage. I would not list this. You would not list microsoft.com neither if you accidently get a spam that you feel itnt appropriate. This is harming more then it does good. But its your list so your rules ;) I would not want to use it to filter my mails with it but hey ;) That's because you don't do business with them, so anything received is unsolicited. In my case, corporate communications are actually being blocked. I'm going to keep a closer eye on them, and manually inspect more of their mail to figure out what to do next. That telling it all ... Bye, Raymond.
Re: KAM pccc URIBL questions
On Mon, 2013-10-07 at 19:38 -0400, Alex wrote: There wasn't really any consensus on the list for this sender either. I've left them off my blacklist for now, despite seeing messages pertaining to hair care and gutter cleaning from their customers. They're also not on any public blocklists. If, on inspection, there is any reliable way to distinguish spam from ham in the stream coming from cvent, you could drop the RBL score down a lot (0.01 ?) and write a meta that blocks just the spam. Martin
Re: KAM pccc URIBL questions
On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote: This is harming more then it does good. But its your list so your rules ;) I would not want to use it to filter my mails with it but hey Since this is in its early development, it is probably too early to judge it too much. But from what I've read in this discussion, it is light years away from the current major URI/domain blacklists out there (SURBL, URIBL, ivmURI, DBL)... BUT... Kevin is brilliant so who knows what it might eventually become? ALSO...There is an argument that a more-aggressive-than-normal AND low-scoring URI list may be helpful? In that sense, URIBL.com has traditionally been considered slightly more aggressive than the other lists mentioned above... SLIGHTLY! Maybe something much MORE aggressive, intended for very low scoring... would be useful? (this would be situations where bayes or checksum content filters add points to the spam score combined with such an aggressive URI list putting the message over the top... but then skipping blocking a legit message with this URI because it didn't have the other content points added and thus didn't score high enough--at least that is the idea) But I can't help but think that SOME reading this thread haven't even tried/implemented even all the zero-cost options for the (already matured) lists I mentioned (where applicable)? -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: KAM pccc URIBL questions
Alex skrev den 2013-10-08 00:18: http://pastebin.com/UDuDcp4F in local.cf def_whitelist_auth *@cvent.com or in user-prefs whitelist_auth *@cvent.com in case its ham, just not both https://dmarcian.com/spf-survey/cvent.com https://dmarcian.com/dmarc-inspector/cvent.com
KAM pccc URIBL questions
Hi guys, I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com URIBL. Why is it designed to be a poison pill? It caught cvent.com, causing a bunch of mail to FP. I'm just curious if this URIBL is indeed this trustworthy, if these KAM rules are still used, and how it is working for you? header KAM_FROM_URIBL_PCCCeval:check_rbl_from_host('pccc', 'multi.pccc.com.', '127.0.0.4') describe KAM_FROM_URIBL_PCCCFrom address listed in PCCC URIBL tflags KAM_FROM_URIBL_PCCCnet score KAM_FROM_URIBL_PCCC5.0 meta __KAM_URIBL_PCCC (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC + KAM_RCVD_URIBL_PCCC = 3) Thanks, Alex