Hello Experts,
since arround 9 weeks I become bombed on my E-Mails linux4michelle and
michelle.konzack by crappy From: spams. Here some examples from my
log:
[ '~/.tdtools-procmail/FLT_weird_From.hits' ]---
1275237458:DirectBuylW[P^h4TWXMQ_OOQUI
On Sun, 2010-07-11 at 12:49 +0200, Michelle Konzack wrote:
Hello Experts,
since arround 9 weeks I become bombed on my E-Mails linux4michelle and
michelle.konzack by crappy From: spams. Here some examples from my
log:
[garbled address samples snipped]
but I want to do the scanning in
On Sun, 2010-07-11 at 15:53 +0100, Cedric Knight wrote:
[nothing but 3 spam samples attached]
Uhm, dude!? I hope that was an accidental address auto-completion. Do
NOT send spam samples to the list.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char
On søn 11 jul 2010 17:04:02 CEST, Karsten Bräckelmann wrote
Uhm, dude!? I hope that was an accidental address auto-completion. Do
NOT send spam samples to the list.
spam?, here clamav see it as virus
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Hello Karsten Bräckelmann,
Am 2010-07-11 16:21:49, hacktest Du folgendes herunter:
Didn't have sufficient caffeine yet, and I am too lazy to go through
that procmail logic in detail -- but looking at the samples, you want to
identify junk chars in the From: header?
Yes
Well, what about a
On Sun, 2010-07-11 at 17:17 +0200, Benny Pedersen wrote:
On søn 11 jul 2010 17:04:02 CEST, Karsten Bräckelmann wrote
Uhm, dude!? I hope that was an accidental address auto-completion. Do
NOT send spam samples to the list.
spam?, here clamav see it as virus
Yes, spam. If the included
On Sun, 2010-07-11 at 17:35 +0200, Michelle Konzack wrote:
Didn't have sufficient caffeine yet, and I am too lazy to go through
that procmail logic in detail -- but looking at the samples, you want to
identify junk chars in the From: header?
Yes
Well, what about a header From rule,
On Sun, 11 Jul 2010, Karsten Br?ckelmann wrote:
On Sun, 2010-07-11 at 17:35 +0200, Michelle Konzack wrote:
Didn't have sufficient caffeine yet, and I am too lazy to go through
that procmail logic in detail -- but looking at the samples, you want to
identify junk chars in the From: header?
On 11.7.2010 5:40, Chris wrote:
I upgraded to Mandriva 2010.1 yesterday. I was already running SA 3.3.0
and AFAICT that didn't change. What did change are log entries. I'm now
seeing entries like this:
rhost=localhost,raddr=127.0.0.1,
On Sun, 2010-07-11 at 19:57 +0300, Jari Fredriksson wrote:
On 11.7.2010 5:40, Chris wrote:
I upgraded to Mandriva 2010.1 yesterday. I was already running SA 3.3.0
and AFAICT that didn't change. What did change are log entries. I'm now
seeing entries like this:
On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote
No malware payload. Not a virus. One's a phish, though. Let me guess,
clamav third-party signatures triggered on the URIs for you?
using safebrowsing sigs from google
Anyway. The distinction between spam and phish was not my point.
On Sun, 2010-07-11 at 19:50 +0200, Benny Pedersen wrote:
On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote
Anyway. The distinction between spam and phish was not my point. Neither
was it, whether spammed URI clamav third-party signatures match on
them just like URIBL and SURBL
Hello John Hardin,
Am 2010-07-11 08:57:39, hacktest Du folgendes herunter:
On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote:
What about providing some raw From: headers then?
+1 We need to see the headers.
Cut the serialnumber at the beginning up to the first : and you have it.
The From:
Hello John Hardin,
Am 2010-07-11 08:57:39, hacktest Du folgendes herunter:
On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote:
What about providing some raw From: headers then?
+1 We need to see the headers.
[ STDIN ]---
From
On 11/07/10 23:06, Michelle Konzack wrote:
Hello John Hardin,
Am 2010-07-11 08:57:39, hacktest Du folgendes herunter:
On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote:
What about providing some raw From: headers then?
+1 We need to see the headers.
[ STDIN
On Sun, 2010-07-11 at 23:59 +0200, Michelle Konzack wrote:
On Sun, 11 Jul 2010, Karsten Bräckelmann wrote:
What about providing some raw From: headers then?
Cut the serialnumber at the beginning up to the first : and you have it.
The From: E-Mails are exactly as shown.
Nope.
They are
On Mon, 2010-07-12 at 00:06 +0200, Michelle Konzack wrote:
On Sun, 11 Jul 2010, Karsten Bräckelmann wrote:
What about providing some raw From: headers then?
From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010
Return-Path: coupond...@perezcentral.com
Err, didn't you say you don't
On Mon, 12 Jul 2010, Michelle Konzack wrote:
[ STDIN ]---
From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010
Return-Path: coupond...@perezcentral.com
Delivered-To: linux4miche...@tamay-dogan.net
Received: from
On Sun, 2010-07-11 at 18:22 -0500, Dave Funk wrote:
Rough first pass SA rule:
header T_FROM_CRAP1 From:addr =~ /[`\^:\]\[,?/]/
^ ^ ^
Breaks. You either need to backslash escape the slash inside the RE, or
use alternative match-operator
Hello Ned Slider,
Am 2010-07-11 23:38:50, hacktest Du folgendes herunter:
For me, that would be caught by dbl.spamhaus.org as a blacklisted
sender domain during the smtp connection.
Is this not included in zen?
$ nslookup perezcentral.com.dbl.spamhaus.org
Non-authoritative answer:
Name:
On Mon, 2010-07-12 at 01:37 +0200, Michelle Konzack wrote:
For me, that would be caught by dbl.spamhaus.org as a blacklisted
sender domain during the smtp connection.
Is this not included in zen?
ZEN lists the handing-over IP (XBL, PBL) or any Received IP for deep-
parsing (SBL). This is
On 12/07/10 00:37, Michelle Konzack wrote:
Hello Ned Slider,
Am 2010-07-11 23:38:50, hacktest Du folgendes herunter:
For me, that would be caught by dbl.spamhaus.org as a blacklisted
sender domain during the smtp connection.
Is this not included inzen?
No, it's a separate list purely for
On Mon, 2010-07-12 at 00:52 +0100, Ned Slider wrote:
On 12/07/10 00:37, Michelle Konzack wrote:
For me, that would be caught by dbl.spamhaus.org as a blacklisted
sender domain during the smtp connection.
Is this not included inzen?
No, it's a separate list purely for domains, not
23 matches
Mail list logo