Re: Blacklist for reply-to?

2018-02-21 Thread @lbutlr 
On 2018-02-21 (00:20 MST), Rupert Gallagher  wrote:
> 
> Beware that companies use a legal note in their signature as advised by their 
> lawyers, and many individuals do the same, to inform the reader about laws 
> that apply regardless of where or when you are reading their note.

Mostly they lie about what their claimed rights are.

> A mail from Europe is subject to data protection. It does not matter if you 
> disagree.

It does. I am not subject to European laws on data protection.

-- 
"There's sex and death and human grime in monochrome for one thin dime
and at least the trains all run on time but they don't go anywhere."

Re: Blacklist for reply-to?

2018-02-20 Thread Rupert Gallagher 
You are wrong.

Sent from ProtonMail Mobile

On Wed, Feb 21, 2018 at 00:07, @lbutlr  wrote:

> On 2018-02-20 (06:02 MST), Rupert Gallagher wrote: > > Do you have the legal 
> right to do so? Absolutely. No one gets to inflict a contract on me. 
> Especially not a entirely stupid nonsense thing that like that piece of crap 
> that has no legal weight whatsoever. -- We are born naked, wet and hungry; 
> then it's all downhill. @protonmail.com>

Re: Blacklist for reply-to?

2018-02-20 Thread Rupert Gallagher 
Beware that companies use a legal note in their signature as advised by their 
lawyers, and many individuals do the same, to inform the reader about laws that 
apply regardless of where or when you are reading their note.

A mail from Europe is subject to data protection. It does not matter if you 
disagree.

R

On Wed, Feb 21, 2018 at 00:01, Reindl Harald  wrote:

> bullshit any disclaimer at the end of the message you already read is useless 
> to start with - and send a message to the public with a disclaimer you can 
> only read after the other content you already have read is nothing but 
> idiotic as well as using accounts which add such disclaimers for mailing 
> lists period Am 20.02.2018 um 22:37 schrieb Rupert Gallagher: > The matter is 
> controversial. Lists have own defaults, who often > abuse their original aim 
> of mere forwarding, especially when they > redistribute from a long-term 
> archive.  On the other hand, people have > own default banners for all 
> outgoing correspondence, some with explicit > reference to the applicable law 
> and company policy. Sparks happen when > they meet. A list's standpoint may 
> be: if you do not want to be > archived, then do not post. A person's 
> standpoint may be > that a mailing list standing as official publication is 
> ludicrous, > while individuals have a well established human right to freedom 
> of > speach. There are so many twists here that only a seasoned lawyer may > 
> have tell right from wrong. > > On Tue, Feb 20, 2018 at 14:55, Reindl Harald 
> > wrote: >> Am 20.02.2018 um 14:02 schrieb Rupert Gallagher: > Do you have >> 
> the legal right to do so? does the fool with the disclaimer have any >> legal 
> right to define whatever terms when sending to a public >> mailing-list? > On 
> Tue, Feb 20, 2018 at 00:23, @lbutlr > wrote: >> On >> 2018-02-19 (09:57 MST), 
> Paul Stead wrote: > ... >>  I reject your terms @thelounge.net> 
> @thelounge.net>

Re: Blacklist for reply-to?

2018-02-20 Thread @lbutlr 
On 2018-02-20 (06:02 MST), Rupert Gallagher  wrote:
> 
> Do you have the legal right to do so?

Absolutely.

No one gets to inflict a contract on me. Especially not a entirely stupid 
nonsense thing that like that piece of crap that has no legal weight whatsoever.

-- 
We are born naked, wet and hungry; then it's all downhill.

Re: Blacklist for reply-to?

2018-02-20 Thread Rupert Gallagher 
The matter is controversial. Lists have own defaults, who often abuse their 
original aim of mere forwarding, especially when they redistribute from a 
long-term archive.  On the other hand, people have own default banners for all 
outgoing correspondence, some with explicit reference to the applicable law and 
company policy. Sparks happen when they meet. A list's standpoint may be: if 
you do not want to be archived, then do not post. A person's standpoint may be 
that a mailing list standing as official publication is ludicrous, while 
individuals have a well established human right to freedom of speach. There are 
so many twists here that only a seasoned lawyer may have tell right from wrong.

Sent from ProtonMail Mobile

On Tue, Feb 20, 2018 at 14:55, Reindl Harald  wrote:

> Am 20.02.2018 um 14:02 schrieb Rupert Gallagher: > Do you have the legal 
> right to do so? does the fool with the disclaimer have any legal right to 
> define whatever terms when sending to a public mailing-list? > On Tue, Feb 
> 20, 2018 at 00:23, @lbutlr  > wrote: >> On 2018-02-19 (09:57 MST), Paul Stead 
> wrote: > ... >>  I reject your terms @kreme.com> @kreme.com>

Re: Blacklist for reply-to?

2018-02-20 Thread Kevin A. McGrail 

On 2/19/2018 7:15 PM, John Hardin wrote:


Kevin, can that be set to advisory rather than completely killed? 


Agreed.  I'll comment out the setting of the score to zero in 
nonKAMrules.cf.

Re: Blacklist for reply-to?

2018-02-20 Thread Rupert Gallagher 
Do you have the legal right to do so?

On Tue, Feb 20, 2018 at 00:23, @lbutlr  wrote:

> On 2018-02-19 (09:57 MST), Paul Stead wrote: > ...@zeninternet.co.uk>

>  I reject your terms. @zeninternet.co.uk>

Re: Blacklist for reply-to?

2018-02-20 Thread Daniele Duca 

On 18/02/2018 21:06, Kenneth Porter wrote:


Is there a blacklist for domains in the reply-to header?

I've noticed a lot of spam with no URL and mutating From but the 
reply-to domain is always aliyun dot com. I want to add a site-wide 
blacklist for that.
If you are willing to write a little SA plugin and possibly mantain your 
own dnsbl you can use something like this:


sub check_email_headers {
  my ($self, $msg) = @_;
  my %headers;
  if (defined($msg->get( 'Reply-To:addr' ))) {
    $headers{"Reply-To"} = $msg->get( 'Reply-To:addr' );
    }
    foreach my $header ( keys %headers) {
    my @addresses = Email::Address->parse($headers{$header});
    for my $address (@addresses) {
    if (is_domain($address->host)) {
        my $parser = Domain::PublicSuffix->new();

    # domain is in $parser->get_root_domain($address->host) , you 
can now look it up on your own dnsbl, Spamhaus DBL etc..


    }
  }
  return 0;
}

I personally also check the domain in the body From, useful in example 
to catch legit abused accounts that have the return-path set as the 
abused account but the body From set differently.


Also, the "image editing" spam is almost all caught by the MSBL 
(https://msbl.org/) , take a look at that bl and their plugin for more 
inspiration


Daniele Duca

Re: Blacklist for reply-to?

2018-02-19 Thread John Hardin 

On Mon, 19 Feb 2018, Alex wrote:


Hi,

On Mon, Feb 19, 2018 at 3:20 PM, John Hardin  wrote:

On Mon, 19 Feb 2018, Rupert Gallagher wrote:


Whatever you do, just do not ask others to blacklist Alibaba



Are those getting hits on SPOOFED_FREEM_REPTO_CHN?

Perhaps just bump the score for that locally?


KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating
that rule for me. Perhaps he doesn't know the rule was removed or
otherwise handled?
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561

Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test
SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero
score

Is there anything further that needs to be done wrt this rule, or does
it now just work as expected?

He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being
affecting by FORGED_YAHOO_RCVD.


Kevin, can that be set to advisory rather than completely killed?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The question of whether people should be allowed to harm themselves
  is simple. They *must*.   -- Charles Murray
---
 63 more days working to pay your (average) annual US tax bill
 before you're finally working for yourself.

Re: Blacklist for reply-to?

2018-02-19 Thread Alex 
Hi,

On Mon, Feb 19, 2018 at 3:20 PM, John Hardin  wrote:
> On Mon, 19 Feb 2018, Rupert Gallagher wrote:
>
>> Whatever you do, just do not ask others to blacklist Alibaba
>
>
> Are those getting hits on SPOOFED_FREEM_REPTO_CHN?
>
> Perhaps just bump the score for that locally?

KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating
that rule for me. Perhaps he doesn't know the rule was removed or
otherwise handled?
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561

Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test
SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero
score

Is there anything further that needs to be done wrt this rule, or does
it now just work as expected?

He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being
affecting by FORGED_YAHOO_RCVD.

Re: Blacklist for reply-to?

2018-02-19 Thread @lbutlr 
On 2018-02-19 (09:57 MST), Paul Stead  wrote:
> 
> This message is private and confidential. If you have received this message 
> in error, please notify us and remove it from your system.
> 
> Zen Internet Limited may monitor email traffic data to manage billing, to 
> handle customer enquiries and for the prevention and detection of fraud. We 
> may also monitor the content of emails sent to and/or from Zen Internet 
> Limited for the purposes of security, staff training and to monitor quality 
> of service.

I reject your terms.

-- 
Rid yourself of doubt -- or should you? -George Carlin

Re: Blacklist for reply-to?

2018-02-19 Thread Benny Pedersen 

David Jones skrev den 2018-02-19 22:35:


https://bz.apache.org/SpamAssassin

I have added a few domains over the past few months but my mail flow
isn't going to see many of the problem domains outside of the US like
those listed above.


https://www.google.dk/search?q=github+freemail

seems all is freemail ?

would adding more freemail domains give a better detection of spam ?

Re: Blacklist for reply-to?

2018-02-19 Thread David Jones 

On 02/19/2018 03:19 PM, John Hardin wrote:

On Mon, 19 Feb 2018, Kenneth Porter wrote:


On 2/19/2018 12:20 PM, John Hardin wrote:
Are those getting hits on SPOOFED_FREEM_REPTO_CHN? 


No, not seeing that one. After enough training I eventually see it 
land in Bayes. The RBLs are starting to flag it.


X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
    FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1

The subject and body are offering "image editing".


I get *tons* of those.

I'm wondering whether the freemail list is a bit stale, I'm seeing from 
addresses in .jp domains that look like they might be freemail...


 jmail.co.jp
 ezweb.ne.jp

Are these freemail?

 o2online.de
 wanadoo.fr




The "freemail" domains also include domains that are commonly abused 
according to 20_freemail_domains.cf.  Anyone wanting to get some domains 
added should open up a SpamAssassin Bugzilla:


https://bz.apache.org/SpamAssassin

I have added a few domains over the past few months but my mail flow 
isn't going to see many of the problem domains outside of the US like 
those listed above.


--
David Jones

Re: Blacklist for reply-to?

2018-02-19 Thread John Hardin 

On Mon, 19 Feb 2018, Kenneth Porter wrote:


On 2/19/2018 12:20 PM, John Hardin wrote:
Are those getting hits on SPOOFED_FREEM_REPTO_CHN? 


No, not seeing that one. After enough training I eventually see it land in 
Bayes. The RBLs are starting to flag it.


X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
    FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1

The subject and body are offering "image editing".


I get *tons* of those.

I'm wondering whether the freemail list is a bit stale, I'm seeing from 
addresses in .jp domains that look like they might be freemail...


jmail.co.jp
ezweb.ne.jp

Are these freemail?

o2online.de
wanadoo.fr


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People think they're trading chaos for order [by ceding more and
  more power to the Government], but they're just trading normal
  human evil for the really dangerous organized kind of evil, the
  kind that simply does not give a shit. Only bureaucrats can give
  you true evil. -- Larry Correia
---
 3 days until George Washington's 286th Birthday

Re: Blacklist for reply-to?

2018-02-19 Thread Kenneth Porter 

On 2/19/2018 12:20 PM, John Hardin wrote:
Are those getting hits on SPOOFED_FREEM_REPTO_CHN? 


No, not seeing that one. After enough training I eventually see it land 
in Bayes. The RBLs are starting to flag it.


X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
    FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1

The subject and body are offering "image editing". The From is forged. 
But the Reply-to is consistent.

Re: Blacklist for reply-to?

2018-02-19 Thread John Hardin 

On Mon, 19 Feb 2018, Rupert Gallagher wrote:


Whatever you do, just do not ask others to blacklist Alibaba


Are those getting hits on SPOOFED_FREEM_REPTO_CHN?

Perhaps just bump the score for that locally?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...much of our country's counterterrorism security spending is not
  designed to protect us from the terrorists, but instead to protect
  our public officials from criticism when another attack occurs.
-- Bruce Schneier
---
 3 days until George Washington's 286th Birthday

Re: Blacklist for reply-to?

2018-02-19 Thread Rupert Gallagher 
I wanted you to see your proposed solution from a different point of view, and 
I thought the quiz was spot on. As a number of you fell into the trap head 
first, I am now horrified. Whatever you do, just do not ask others to blacklist 
Alibaba, and do not blacklist yourself.

Sent from ProtonMail Mobile

On Mon, Feb 19, 2018 at 10:00, Kenneth Porter  wrote:

> On 2/18/2018 5:09 PM, Antony Stone wrote:
>
>> On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:
>>
>>> Question time! You receive spam with a reply-to your own address. What do
>>> you do?
>>
>> I take it that this is now a rather different question that the one you
>> originally asked in this thread, where the reply-to address was clearly not
>> your own?
>
> I have no clue what Rupert is on about. I just want something like 
> blacklist_from that uses the reply-to header. I thought it was a simple 
> technical question about how the config file directives map onto the actual 
> headers. I'm not asking for site policy.

Re: Blacklist for reply-to?

2018-02-19 Thread Paul Stead 
I have a BZ raised for reply-to blacklist checking:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354

On 19/02/2018, 15:05, "Kevin A. McGrail"  wrote:

On 2/18/2018 3:06 PM, Kenneth Porter wrote:
> Is there a blacklist for domains in the reply-to header?
>
> I've noticed a lot of spam with no URL and mutating From but the
> reply-to domain is always aliyun dot com. I want to add a site-wide
> blacklist for that.

To my knowledge it doesn't exist.  I documented it as an idea for GSOC
at https://issues.apache.org/jira/browse/COMDEV-263


Regards,
KAM



--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk

Winner of 'Services Company of the Year' at the UK IT Industry Awards

This message is private and confidential. If you have received this message in 
error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to 
handle customer enquiries and for the prevention and detection of fraud. We may 
also monitor the content of emails sent to and/or from Zen Internet Limited for 
the purposes of security, staff training and to monitor quality of service.

Zen Internet Limited is registered in England and Wales, Sandbrook Park, 
Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01

Re: Blacklist for reply-to?

2018-02-19 Thread Kevin A. McGrail 

On 2/18/2018 3:06 PM, Kenneth Porter wrote:

Is there a blacklist for domains in the reply-to header?

I've noticed a lot of spam with no URL and mutating From but the 
reply-to domain is always aliyun dot com. I want to add a site-wide 
blacklist for that.


To my knowledge it doesn't exist.  I documented it as an idea for GSOC 
at https://issues.apache.org/jira/browse/COMDEV-263



Regards,
KAM

Re: Blacklist for reply-to?

2018-02-19 Thread Daniele Duca 

On 19/02/2018 10:00, Kenneth Porter wrote:

I have no clue what Rupert is on about. I just want something like 
blacklist_from that uses the reply-to header. I thought it was a 
simple technical question about how the config file directives map 
onto the actual headers. I'm not asking for site policy.



Maybe something like this?

header REPLYTO_KILLER reply-to =~ /@domain\.that\.you\.want\.blacklisted/
score  REPLYTO_KILLER 1000

Re: Blacklist for reply-to?

2018-02-19 Thread Kenneth Porter 

On 2/18/2018 5:09 PM, Antony Stone wrote:

On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:


Question time! You receive spam with a reply-to your own address. What do
you do?

I take it that this is now a rather different question that the one you
originally asked in this thread, where the reply-to address was clearly not
your own?

I have no clue what Rupert is on about. I just want something like 
blacklist_from that uses the reply-to header. I thought it was a simple 
technical question about how the config file directives map onto the 
actual headers. I'm not asking for site policy.

Re: Blacklist for reply-to?

2018-02-18 Thread Rupert Gallagher 
You need coffee...

Sent from ProtonMail Mobile

On Mon, Feb 19, 2018 at 02:09, Antony Stone 
 wrote:

> On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: > Question 
> time! You receive spam with a reply-to your own address. What do > you do? I 
> take it that this is now a rather different question that the one you 
> originally asked in this thread, where the reply-to address was clearly not 
> your own? > A: you blacklist your own address Is there any reason why inbound 
> mail should have your own address (and, by the way, do you mean address, or 
> domain?) as the reply-to? For some people yes, for others, no. Your 
> experience may not be standard. > B: you ask around to do A for you I'm not 
> sure what that means. > C: you ask for advice Good idea; let's see what other 
> replies you get. Antony. -- "I estimate there's a world market for about five 
> computers." - Thomas J Watson, Chairman of IBM Please reply to the list; 
> please *don't* CC me.

Re: Blacklist for reply-to?

2018-02-18 Thread Benny Pedersen 

Antony Stone skrev den 2018-02-19 02:09:


C: you ask for advice

Good idea; let's see what other replies you get.


i hate mondays :=)

Re: Blacklist for reply-to?

2018-02-18 Thread Antony Stone 
On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:

> Question time! You receive spam with a reply-to your own address. What do
> you do?

I take it that this is now a rather different question that the one you 
originally asked in this thread, where the reply-to address was clearly not 
your own?

> A: you blacklist your own address

Is there any reason why inbound mail should have your own address (and, by the 
way, do you mean address, or domain?) as the reply-to?

For some people yes, for others, no.  Your experience may not be standard.

> B: you ask around to do A for you

I'm not sure what that means.

> C: you ask for advice

Good idea; let's see what other replies you get.


Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

   Please reply to the list;
 please *don't* CC me.

Re: Blacklist for reply-to?

2018-02-18 Thread Rupert Gallagher 
Question time! You receive spam with a reply-to your own address. What do you 
do?

A: you blacklist your own address
B: you ask around to do A for you
C: you ask for advice

Sent from ProtonMail Mobile

On Sun, Feb 18, 2018 at 22:39, Kenneth Porter  wrote:

> --On Sunday, February 18, 2018 4:21 PM -0500 Rupert Gallagher wrote: > It is 
> not spam. You get it if you have an account with alibaba. Just > configure 
> it. These emails are addressed to many of my web-page-only addresses that 
> I've never used to sign up for anything. They're clearly unsolicited. 
> @protonmail.com>

Re: Blacklist for reply-to?

2018-02-18 Thread Benny Pedersen 

Kenneth Porter skrev den 2018-02-18 22:39:


These emails are addressed to many of my web-page-only addresses that
I've never used to sign up for anything. They're clearly unsolicited.


blacklist_to *@spamtrap.example.org in replyto

force bayes learn on user in blacklist

maybe use blacklist_from aswell, i cant remember if one or both is 
needed

Re: Blacklist for reply-to?

2018-02-18 Thread Kenneth Porter 
--On Sunday, February 18, 2018 4:21 PM -0500 Rupert Gallagher 
 wrote:



It is not spam. You get it if you have an account with alibaba. Just
configure it.


These emails are addressed to many of my web-page-only addresses that I've 
never used to sign up for anything. They're clearly unsolicited.

Re: Blacklist for reply-to?

2018-02-18 Thread Rupert Gallagher 
It is not spam. You get it if you have an account with alibaba. Just configure 
it.

Sent from ProtonMail Mobile

On Sun, Feb 18, 2018 at 21:06, Kenneth Porter  wrote:

> Is there a blacklist for domains in the reply-to header? I've noticed a lot 
> of spam with no URL and mutating From but the reply-to domain is always 
> aliyun dot com. I want to add a site-wide blacklist for that.

Re: Blacklist for reply-to?

2018-02-18 Thread Rob McEwen 

On 2/18/2018 3:06 PM, Kenneth Porter wrote:

Is there a blacklist for domains in the reply-to header?
I've noticed a lot of spam with no URL and mutating From but the 
reply-to domain is always aliyun dot com. I want to add a site-wide 
blacklist for that. 



http://msbl.org

(I'm not associated with this. Also, it is very high quality and 
well-run! It should at least make a noticeable improvement, even if it 
doesn't catch all of them.)


--
Rob McEwen
https://www.invaluement.com