Re: Bitcoin update

[John Hardin]

On Fri, 5 Oct 2018, Zinski, Steve wrote:


Here's how I'm blocking bitcoin emails with Unicode characters embedded:

body__BTC1  /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body__BTC2  /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body__BTC3  /\b\W*b\W*t\W*c\W*\b/i
body__BTC4  /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
metaLOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
score   LOCAL_BITCOIN   10.0

Works like a charm in my environment.


To clarify: I added a rule for general obfuscation using the zero-width 
Unicode glyph. It's not bitcoin-specific.


With your permission I can add that to my sandbox and see how it does in 
masscheck.



On 10/5/18, 10:54 AM, "John Hardin"  wrote:

   On Fri, 5 Oct 2018, Pedro David Marco wrote:

   >   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail 
 wrote:
   > >Interesting.  Any chance for an unmodified pastebin spample?
   >
   > Yes please Joseph... any  change for it, please?  We are hungry...

   Test rule checked into my sandbox last night...

   Initial results aren't too promising.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the place of government to make right every tragedy and
  woe that befalls every resident of the nation.
---
 554 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Bitcoin update

[John Hardin]

On Fri, 5 Oct 2018, Pedro David Marco wrote:


  >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail 
 wrote:
>Interesting.  Any chance for an unmodified pastebin spample?

Yes please Joseph... any  change for it, please?  We are hungry... 


Test rule checked into my sandbox last night...

Initial results aren't too promising.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 554 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Bitcoin update

[sebast...@debianfan.de]

https://pastebin.com/TRD7FzRQ

i have a sample here

Am 05.10.2018 um 19:50 schrieb Zinski, Steve:

Yes, absolutely.


On 10/5/18, 1:42 PM, "John Hardin"  wrote:

 On Fri, 5 Oct 2018, Zinski, Steve wrote:
 
 > Here's how I'm blocking bitcoin emails with Unicode characters embedded:

 >
 > body__BTC1  /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
 > body__BTC2  /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
 > body__BTC3  /\b\W*b\W*t\W*c\W*\b/i
 > body__BTC4  
/\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
 > metaLOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
 > score   LOCAL_BITCOIN   10.0
 >
 > Works like a charm in my environment.
 
 To clarify: I added a rule for general obfuscation using the zero-width

 Unicode glyph. It's not bitcoin-specific.
 
 With your permission I can add that to my sandbox and see how it does in

 masscheck.
 
 > On 10/5/18, 10:54 AM, "John Hardin"  wrote:

 >
 >On Fri, 5 Oct 2018, Pedro David Marco wrote:
 >
 >>   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail 
 wrote:
 >> >Interesting.  Any chance for an unmodified pastebin spample?
 >>
 >> Yes please Joseph... any  change for it, please?  We are hungry...
 >
 >Test rule checked into my sandbox last night...
 >
 >Initial results aren't too promising.
 
 --

   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ---
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
 ---
   554 days since the first commercial re-flight of an orbital booster 
(SpaceX)

Re: Bitcoin update

[Zinski, Steve]

Yes, absolutely.


On 10/5/18, 1:42 PM, "John Hardin"  wrote:

On Fri, 5 Oct 2018, Zinski, Steve wrote:

> Here's how I'm blocking bitcoin emails with Unicode characters embedded:
>
> body__BTC1  /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
> body__BTC2  /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
> body__BTC3  /\b\W*b\W*t\W*c\W*\b/i
> body__BTC4  
/\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
> metaLOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
> score   LOCAL_BITCOIN   10.0
>
> Works like a charm in my environment.

To clarify: I added a rule for general obfuscation using the zero-width 
Unicode glyph. It's not bitcoin-specific.

With your permission I can add that to my sandbox and see how it does in 
masscheck.

> On 10/5/18, 10:54 AM, "John Hardin"  wrote:
>
>On Fri, 5 Oct 2018, Pedro David Marco wrote:
>
>>   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail 
 wrote:
>> >Interesting.  Any chance for an unmodified pastebin spample?
>>
>> Yes please Joseph... any  change for it, please?  We are hungry...
>
>Test rule checked into my sandbox last night...
>
>Initial results aren't too promising.

-- 
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
   It is not the place of government to make right every tragedy and
   woe that befalls every resident of the nation.
---
  554 days since the first commercial re-flight of an orbital booster 
(SpaceX)

Re: Bitcoin update

[Zinski, Steve]

Here's how I'm blocking bitcoin emails with Unicode characters embedded:

body__BTC1  /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body__BTC2  /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body__BTC3  /\b\W*b\W*t\W*c\W*\b/i
body__BTC4  /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
metaLOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
score   LOCAL_BITCOIN   10.0

Works like a charm in my environment.



On 10/5/18, 10:54 AM, "John Hardin"  wrote:

On Fri, 5 Oct 2018, Pedro David Marco wrote:

>   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail 
 wrote:
> >Interesting.  Any chance for an unmodified pastebin spample?
>
> Yes please Joseph... any  change for it, please?  We are hungry... 

Test rule checked into my sandbox last night...

Initial results aren't too promising.

-- 
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  554 days since the first commercial re-flight of an orbital booster 
(SpaceX)

Reporting gmail spam/fraud/phishing

[John Hardin]

Folks:

It looks like Google is trying to kill off gmail-ab...@google.com again.

Does anybody have a gmail abuse mailbox address that actually works (i.e. 
that Google actually reads, in addition to merely being deliverable)?


A webform is *not* an acceptable alternative.

"Don't Be Evil." Bah.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the place of government to make right every tragedy and
  woe that befalls every resident of the nation.
---
 554 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Bitcoin update

[John Hardin]

On Fri, 5 Oct 2018, sebast...@debianfan.de wrote:


https://pastebin.com/TRD7FzRQ

i have a sample here


There doesn't appear to be any obfuscation (apart from the email address) 
in that message...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Running away is the coward's way out of a war;
  appeasement is the coward's way into a war.   -- Thorax
---
 554 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Bitcoin update

[Rupert Gallagher]

> https://pastebin.com/TRD7FzRQ

> I have a sample here

There are at least three reasons to reject that e-mail upfront, with no need to 
parse its body.

Re: Bitcoin update

[David Jones]

On 10/5/18 4:38 PM, Antony Stone wrote:
> On Friday 05 October 2018 at 23:26:12, Rupert Gallagher wrote:
> 
>>> https://pastebin.com/TRD7FzRQ
>>>
>>> I have a sample here
>>
>> There are at least three reasons to reject that e-mail upfront, with no
>> need to parse its body.
> 
> Hints might be appreciated for the uninitiated.
> 
> 
> Antony.
> 
> 
> PS: Please do NOT set Reply-To to your own address on list postings.
> 

Are you doing any RBLs at the MTA?  This thing looks really bad and 
would never have made it past my Postfix postscreen_dnsbl_sites list.

 http://multirbl.valli.org/lookup/114.46.223.46.html

If it had made it to SpamAssassin, here's what my rules would have scored:

Content analysis details:   (29.8 points, 5.0 required)

  pts rule name  description
 -- 
--
  5.2 BAYES_99   BODY: Bayes spam probability is 99 to 100%
 [score: 1.]
  3.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
 [score: 1.]
  0.5 FROM_DOMAIN_NOVOWELFrom: domain has series of non-vowel letters
  1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
 (Split IP)
  0.2 CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or
 Generic rPTR
  1.9 DATE_IN_FUTURE_06_12   Date: is 6 to 12 hours after Received: date
  3.2 DCC_CHECK  Detected as bulk mail by DCC (dcc-servers.net)
  0.1 FROM_EQUALS_TO From: and To: have the same username
  0.0 KHOP_DYNAMIC   Relay looks like a dynamic address
  3.6 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr
 2)
  1.0 RDNS_DYNAMIC   Delivered to internal network by host with
 dynamic-looking rDNS
  2.2 ENA_RELAY_NOT_US   Relayed from outside the US and not on 
whitelists
  0.1 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
 (FTSDMCXX/boundary variant) + direct-to-MX
  2.0 MIMEOLE_DIRECT_TO_MX   MIMEOLE + direct-to-MX
  2.5 DOS_OE_TO_MX   Delivered direct to MX with OE headers
  2.5 NO_FM_NAME_IP_HOSTNNo From name + hostname using IP address
  0.0 ENA_BAD_SPAM   Spam hitting really bad rules.


-- 
David Jones

Re: Reporting gmail spam/fraud/phishing

[Benny Pedersen]

John Hardin skrev den 2018-10-05 19:45:

It looks like Google is trying to kill off gmail-ab...@google.com 
again.


abuse@ ignorants ?

Re: Bitcoin update

[Antony Stone]

On Friday 05 October 2018 at 23:26:12, Rupert Gallagher wrote:

> > https://pastebin.com/TRD7FzRQ
> > 
> > I have a sample here
> 
> There are at least three reasons to reject that e-mail upfront, with no
> need to parse its body.

Hints might be appreciated for the uninitiated.


Antony.


PS: Please do NOT set Reply-To to your own address on list postings.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

   Please reply to the list;
 please *don't* CC me.

Re: Bitcoin update

[John Hardin]

On Fri, 5 Oct 2018, Zinski, Steve wrote:


Yes, absolutely.


OK, cleaned up a bit and checked in. We'll see what masscheck thinks...


On 10/5/18, 1:42 PM, "John Hardin"  wrote:

   On Fri, 5 Oct 2018, Zinski, Steve wrote:

   > Here's how I'm blocking bitcoin emails with Unicode characters embedded:
   >
   > body__BTC1  /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
   > body__BTC2  /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
   > body__BTC3  /\b\W*b\W*t\W*c\W*\b/i
   > body__BTC4  
/\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
   > metaLOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
   > score   LOCAL_BITCOIN   10.0
   >
   > Works like a charm in my environment.

   To clarify: I added a rule for general obfuscation using the zero-width
   Unicode glyph. It's not bitcoin-specific.

   With your permission I can add that to my sandbox and see how it does in
   masscheck.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Venezuela is busy reaping the benefits of Socialism:
  in one year 75% of the population has, on average, lost 19 pounds
  due to insufficient food, and 82% of households are below the
  poverty line. (2016 Venezuelan "Living Conditions Survey")
---
 554 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Bitcoin update

[Pedro David Marco]

 

   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail 
 wrote:  
 >Interesting.  Any chance for an unmodified pastebin spample?

Yes please Joseph... any  change for it, please?  We are hungry... 

---PedroD  

Re: spamassassin-3.4.2 and reload command

[Vlad Shpolyanskiy]

sa-spamd.sa-spamd
  
Just in case I have attached FreeBSD script.
May be you are right, I posted to the wrong place, should address this to
the FreeBSD port maintainer.



--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html

Re: spamassassin-3.4.2 and reload command

[Kevin A. McGrail]

On 10/5/2018 4:22 AM, Vlad Shpolyanskiy wrote:
> sa-spamd.sa-spamd
>   
> Just in case I have attached FreeBSD script.
> May be you are right, I posted to the wrong place, should address this to
> the FreeBSD port maintainer.
>
I would talk to the FreeBSD port maintainer.  That script is not all the
guts of how their system works and I'm not familiar with it.  I would
point out that one bug on the process name change.  I'd bet it has
something to do with it based on other distros.

-- 
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171