Smith, actually. So far right that he went
around the dial and wanted to defund police.
Joseph Brennan
r user because it's so regular and so varied in terms of
> >> the types of requests, but all appear legitimate.
> >
> > We've see this too now and then. A few customers got 20k+.
> >
> > It's more in the nature of very annoying mischief, although it could be
> > a targeted attack.
> >
> > -kgd
> >
>
>
--
Joseph Brennan
Lead, Email and Systems Applications
Columbia University Information Technology
this thing.
--
Joseph Brennan
Lead, Email and Systems Applications
Columbia University Information Technology
olleyes}
>
> One should do something useful with their life or family, I suggest ignoring
> this game of whackamole unless it takes few minutes. :-D It's pointless to
> try adding all combinations in _advance_, since all this is extremely simple
> to bypass with random typos and whitespaces and whatever chars..
>
--
Joseph Brennan
Lead, Email and Systems Applications
receive several marking emails from chimpmail. I've tried adding the
> from email address to the blackfrom_list, but that does not block
> chimpmail. How can a person block these?
>
> Thank you.
>
> Daryl
>
>
>
--
Joseph Brennan
Lead, Email and Systems Applications
much else there.
--
Joseph Brennan
Lead, Email and Systems Applications
as writing about.
--
Joseph Brennan
Lead, Email and Systems Applications
RS_LCASE strikes me as very different and much more
likely to be faked mail. I don't know of any freemail providers that write
header names in all lower case. A check against the corpus obviously needs
to back up my guess but I think I'm right.
--
Joseph Brennan
Lead, Email and Systems Applications
> there really are!
>
>
>
> --
> Joseph Brennan
> Lead, Email and Systems Applications
>
>
>
--
Joseph Brennan
Lead, Email and Systems Applications
Yes, replying to myself.
It just occurred to me that that we refuse mail from hosts in the Spamhaus
lists, so messages from those don't get analyzed by spamassassin. The
50,000 I mentioned is how many were NOT caught that way. I wonder how many
there really are!
--
Joseph Brennan
Lead, Email
On Thu, Jun 13, 2019 at 3:01 PM Antony Stone <
antony.st...@spamassassin.open.source.it> wrote:
> On Thursday 13 June 2019 at 17:45:02, Joseph Brennan wrote:
>
> > We've been refusing mail based on this stupid error for a year and a half
> > (local rule) and no fals
that the spammer does not send on Sundays. I agree that many of them
hit no other rule.
--
Joseph Brennan
Lead, Email and Systems Applications
://pastebin.com/p6xaWcA7
Joseph Brennan
Columbia U
not have a good copy of the body yet, and do not know what rules it
already hits. If anyone else here got these maybe you can beat me to
getting a sample.
I'll send more later if I get more information.
--
Joseph Brennan
Lead, Email and Systems Applications
a lost art.
This might affect scoring of the MISSING_HEADERS rule eventually. (Despite
the name it seems to mean only a missing "To" header.)
--
Joseph Brennan
Lead, Email and Systems Applications
.
If this spam technique spreads I still think it would be worth some score.
A broader rule would look for an ISO encoding of the same Arabic no-space
character between non-Arabic characters.
Joseph Brennan
Columbia U I T
been done and I've missed it?
Joseph Brennan
Columbia U I T
On Mon, Nov 19, 2018 at 11:49 AM Mark London wrote:
> On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote:
> > I ran it as-is, and it scored poorly.
> > After I manually de-borked the header
KHOP_DYNAMIC hits on hostnames like mx0b-00145802.pphosted.com. Proofpoint
addresses are always mail servers, not dynamic end-user lines.
--
Joseph Brennan
Lead, Email and Systems Applications
n; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
Yo=9Du wi=9Dll ha=9Dv=9De two diff=9Derent so=9Dluti=9Do=9Dns. Why dont w=
=9De check o=9Dut =9Dea=9Dch on=9De o=9Df thes=9De o=9Dpti=9Dons in deta=9D=
i=9Dls:
Joseph Brennan
Columbia U I T
commonly the Subject contains what should have
been the message body.
--
Joseph Brennan
Lead, Email and Systems Applications
e seen
hosts in these blocks, below. Yesterday was 23.95.197 and 104.234.218.
Joseph Brennan
Columbia University I T
23.94.138
23.94.165
23.95.197
23.95.200
45.65.16
46.102.117
46.166.186
63.143.38
64.186.14
66.70.254
67.214.188
69.195.136
74.63.251
74.80.147
76.164.198
84.247.12
85.17.31
104.1
he is
blocking for violating RFC 822.
He can say he is blocking because he wants mail to have a To header. He can
block because a subject line contains the letter Z if he wants to. That is
a different line of argument than calling an RFC violation.
-- Joseph Brennan
ld is To, then
To must contain an address.
In section 4.5.3 it states that Bcc contents are not included in copies
sent, which leaves a transmitted message with just Date and From, the state
which the plaintiff claims is not compliant.
-- Joseph Brennan
out
the PTR fail. I have not had a chance yet to test this out in real mail
flow to see how close it comes to being something good enough to reject
mail.
Joseph Brennan
Ted Mittelstaedt <t...@ipinc.net> wrote:
I have noticed that spam tracks current events.
We've had a run of spam recently with a teaser subject that Megyn Kelly
might q uit Fox news. That's a little less than current!
Joseph Brennan
has a SPF record with too many DNS lookups.
Are you willing to block that? That one amazes me since SPF is the simplest
of these ventures to implement correctly, and since the Times's frequent
mailings of news updates evidently are not affected enough by SPF fail for
the Times to go fix it.
as an attachment, and I think
the generic "octet-stream" is correct since there is no specific software
that must be used for a plain text file. (I'm actually surprised that there
is nothing like application/plaintext for this case, but I could not
identify such a type in a web search.)
half a
billion servers, like ec2-54-225-189-51.compute-1.amazonaws.com for
54.225.189.51, since like end-user IPs they are interchangeable parts. I'd
be inclined to exclude them from RDNS_DYNAMIC.
Joseph Brennan / Columbia U
PS-- They do have nice matching PTR and A records.
silly enough
to say they are free of spam customers, but they are definitely servers.
Joseph Brennan / Columbia U
domain.
--
Joseph Brennan
Lead, Email and Systems Applications
30,000 and look at content.
It is interesting that Spamhaus does not list the sending IPs or the
web hosts. Maybe their secret honeypot addresses do not have enough
.edu presence.
(google: "honor society" scam)
--
Joseph Brennan
Columbia University
ndmail.
Sendmail access.db? It's easy:
From:us REJECT
From:ci.boston.ma.us OK
From:corunna.k12.mi.us OK
Or name the states:
From:us REJECT
From:ma.us OK
From:mi.us OK
Joseph Brennan
Columbia University
will diagnose future attempts.
--
Joseph Brennan
n the author of the message in some cases.
--Joseph Brennan
ot;/tmp/.spamassassin17852Aeax7dtmp/72_active.cf": uridnsbl_skip_domain
accessbankplc.com
...
config: failed to parse line, skipping, in
"/tmp/.spamassassin17852Aeax7dtmp/72_active.cf": uridnsbl_skip_domain
zugerkb.ch
channel: lint check of update failed, channel failed
Joseph Brennan
Columbia University Information Technology
d most
hardware used for Linux (like Intel) are both little-endian-- so it is
probably not the answer in this case.
This is a nice test I found:
echo -n I | od -to2 | awk '{ print substr($2,6,1); exit}'
1 little-endian
0 big-endian
Joseph Brennan
Columbia U
the message but must "align"
with the mail system that sent the message?
Well, they also changed the SPF protocol so that -all should not be used.
Using ~all causes processing to continue through DKIM and DMARC, and then
the failure gets reported to the "ruf" address. Us
can't say whether the unusual X- headers continue.
Spamhaus knows most of the hosts they are sending from.
Joseph Brennan
Columbia University Information Technology
From header, so this spoofs effectively.
If you want to catch this, you'd want to score for the case where the From
header has your domain but the Sender header does not. BUT be careful. A
rule like that would hit on mail sent through mailing lists and some other
legitimate "send as" cases.
Joseph Brennan
Columbia University I T
Other than that I don't see the purpose to this change.
Joseph Brennan
Columbia University I T
:-)
Joseph Brennan
Columbia University
to achieve this goal?
I can't think of anyway to do it without adding functionality to SA,
sorry.
Does this do it?
score AWL 0
meta LOCAL_SCORE_AWL AWL!URIBL_DBL_SPAM
score LOCAL_SCORE_AWL-10
where -10 is whatever score AWL usually has (I forget)
Joseph Brennan
Columbia U I T
.
Joseph Brennan
Columbia University Information Technology
'.
The image is a picture of text written in Chinese.
Joseph Brennan
Columbia University Information Technology
!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN
HTMLHEAD
META content=text/html; charset=utf-8 http-equiv=Content-Type
META name=GENERATOR content=MSHTML 8.00.6001.23181/HEAD
with html tags, e.g. oratagnge.
Joseph Brennan
Columbia University Information Technology
subscribes to.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
positives. No META needed.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
header fields and format, which are not
present there.
Including a plain part is desirable in many cases but not all.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
body __SR1 /html\s{0,2}!--/
body __SR2 /--\s{0,2}body/
does not work since body rules strip html comments
with rawbody it ignore limits but hits on both
And don't score too high.
Example: Confirmations from Travelocity contain a 28 KB comment.
Joseph Brennan
Columbia University
think!
Joseph Brennan
Columbia University Information Technology
The maximum message size is 256 MB.
I've never seen spam larger than 3 MB.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
the mail.
The samples were from f...@fanboxnotes.com and nore...@fanboxnotes.com.
They look like the ones reported here, including the lower-case header
labels.
Joseph Brennan
Columbia University Information Technology
.
They're as good at email as I am at at designing web pages :-)
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
--On Friday, June 17, 2011 0:58 +0200 Benny Pedersen m...@junc.org wrote:
make a info tdl rule with a score of 2.5,
Meta: From has .info AND uri has .info, score 2.0. We've done it for
years. Works fine. Maybe it could be 2.5.
Joseph Brennan
Columbia University Information Technology
know of three, anyway). A link in part 1 opens the HTML attachment
in a new window, and that links you to the secure web page with the
secure message. But anyway, an HTML attachment is still odd enough to
rate a low score.
Joseph Brennan
Columbia University Information Technology
the
same as for any other message, if you can.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
that.
It could be that a meta of multiple br plus something else gets
a more accurate spam diagnosis, so I'm not saying it's useless, but
it is not as straightforward as it seems.
Joseph Brennan
Columbia University Information Technology
willing to 550 based on a match.
I could see scoring for shorteners. So this is good news.
Joseph Brennan
Columbia University Information Technology
checking for an
MX record for the sender address, not the host.
Joseph Brennan
Columbia University Information Technology
out, they can also be hosts at
small organizations with overworked or newbie system admins. I would
not block outright for that. As David said, lots of fps await.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
an rsync feed?
I've asked twice with no results.
Consequently we haven't started using it. We'd be doing well over a
million lookups a day.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
. We've
considered blocking for it, but we'd end up doing a lot of whitelisting
and interfering with mail that our users want.
It's worth scoring for, and RDNS_NONE already matches this case.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
header:
X-Envelope-From: u...@lanyon.com
Received: from S253906HZ1EW06.usstls6-hosting.savvis.net (unknown
[209.16.192.170])
Is it because there is no reverse DNS entry?
Yes.
Notice also that the rule checks the header From:, not the envelope,
and they could be different.
Joseph Brennan
David B Funk dbf...@engineering.uiowa.edu wrote:
Notice also that the rule checks the header From:, not the envelope,
and they could be different.
When did that change?
Sorry. I am wrong.
Joseph Brennan
Columbia University Information Technology
by these features:
Subject contains /Secure Message from / followed by the same address
as the From header.
The message body contains a MIME part named securedoc.html coded as
application/octet stream.
I cannot post a sample secure message.
Joseph Brennan
Columbia University Information
not really from Yahoo. No DKIM, no Newman property. That's
a fake header.
The javascript is just an incredibly obfuscated way of putting in a
url. Base 64, javascript, two layers of redirect and... it's the
Canadian Pharmacy.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information
this matches it:
/document\.write\(unescape\(\(\%..\%){10,}/
While unescape is a legitimate function, it's odd that a string would
start off with a lengthy series of escaped characters.
This seems to need a RAWBODY check to match. That's as far as I've
got.
Joseph Brennan
Columbia University
--
Re: Joseph Brennan:
Why doesn't sendmail reject it like it does here? (..) .. Domain name
required for sender address
I cannot afford rejecting all null senders as those could be
legitimate Delivery Status Notification messages.
What I am looking is a pattern for line:
MAIL FROM: do
[124.157.160.227] (may be forged), reject=553 5.5.4 vjaqrra scuper
acntive make your sskexxual ... Domain name required for sender address
Joseph Brennan
Columbia University Information Technology
it too.
Joseph Brennan
Columbia University Information Technology
. Go to the URL. It does not tell you why
but suggests many possible reasons. I'd go for the last one :-)
Joseph Brennan
Columbia University Information Technology
is involved. Most mail software would not write that.
Joseph Brennan
Columbia University Information Technology
that SA would
catch pretty much the same messages, we'd need significantly more
hardware to do it only with SA.
I realize this is separate from the question of whether SA should run
Spamhaus tests by default. I just want to make a point about Spamhaus.
Joseph Brennan
Columbia University Information
reason to do this... no, I don't think so.
Why not blame the software that created the message?
Joseph Brennan
Columbia University Information Technology
.
These match a lot of them:
Subject =~ /\%.*(special|lower|sale|off|on|today)/i
Subject =~ /(don.t miss|special|save|sale).*\%/i
Subject =~ /-\d+\%/
You probably can't give more than 1 or 2 points or you'll fp.
They keep changing too. The minus-percent just started recently.
Joseph Brennan
Columbia
virus that got reactivated somehow. How many email
viruses do you even see these days?
Did antivirus provide a name for this thing?
Joseph Brennan
Columbia University Information Technology
. It's worthwhile giving them an error too,
so they'll know about it.
Joseph Brennan
Columbia University Information Technology
users.)
Joseph Brennan
Columbia University Information Technology
header__MY_FILTRAGE_TO_93 To =~ /\...@exxent\.net/i
This matches if @exxent.net is in the To: header line. It doesn't
match all mail sent to recipients at exxent.net-- only mail with their
address in the To: header line.
Of course this may be exactly what you want to do.
Joseph
parsingÂ’ of Received headers, or
for other than checking IP addresses that hand off to your mailservers.
Joseph Brennan
Columbia University Information Technology
that.
Joseph Brennan
Columbia University Information Technology
it happens.
Joseph Brennan
Columbia University Information Technology
Report the abuse to Google and reject any mail from
@listserv.bounces.google.com
Trademark violation? http://www.lsoft.com/corporate/trademark.asp
I thought this was faked the first time I saw it.
Joseph Brennan
Columbia University Information Technology
Ned Slider n...@unixmail.co.uk wrote:
bodyLOCAL_BODY_CIALIS /\bcialis/i
That's probably what the rule is, and it will match 'spe/cialistes'.
Joseph Brennan
Columbia University Information Technology
for .cn
Joseph Brennan
Columbia University Information Technology
-0800 this time of year.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Freelotto.com went on our local blocklist on October 31, 2001. No one
here has ever asked us about not getting mail from that domain.
Joseph Brennan
Columbia University Information Technology
customercenter.com and par3.com.
Their current SPF record does not mention those, but it ends with ~all.
A lot of banks send via third party servers, or domains of former banks
they merged at some point. Many times sender and hostname do not match.
Joseph Brennan
Lead Email Systems Engineer
Columbia
would be extremely careful
about this stuff. Ha ha ha. They're not.
Joseph Brennan
Columbia University Information Technology
to dump spam.
Joseph Brennan
Columbia University Information Technology
the mail from going out. And
of course a sudden increase in volume from a user could also trigger.
Joseph Brennan
Columbia University Information Technology
recipients:; notation, the only case commonly seen, is just
a list with no addresses in it. Also somewhat common is...
To: Members of the List Blablabla:;
... as written by Listserv.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
strongly.
you have LEGIT EMAIL with this in it?
Microsoft products regularly have STYLE/STYLE for no obvious reason.
However style/style lower-case is unusual, but not unheard of.
Joseph Brennan
Columbia University Information Technology
the following:
/\bP\.?O\.?[:#]? [#]?/i
/P\.?O/
Expect it to match things besides purchase orders, but they will be
false negatives.
Joseph Brennan
that it sees frequently (or that it
wants to whitelist permanently).
Joseph Brennan
Columbia University Information Technology
and staff and the summer
overlap of graduated and admitted student accounts.
Requiring large organizations to use rsync and charging for it
makes a lot of sense. How much, though... and we didn't budget
this in when we estimated last spring, for the July-June fiscal
year schools use...
Joseph
Sahil Tandon [EMAIL PROTECTED] wrote:
We get some legitimate email from @live.com users.
But they don't set a Reply-to header. That's the test.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Reply-to: [EMAIL PROTECTED]
First pass:
header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
score LOCAL_REPLYTO_LIVE8.0
Maybe scoring 8.0 for one thing scares you, but I haven't seen this
fp in a couple of months.
Joseph Brennan
Columbia University Information
to us. Another useful local rule
is to check for the uri of your own webmail.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
. I'll try to comfort myself with that.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
1 - 100 of 168 matches
Mail list logo