came across as it may have, and also for the delay in
reporting (I was alerted to this yesterday afternoon).
On Thu, Oct 12, 2023 at 8:48 AM Bill Cole
wrote:
>
> On 2023-10-11 at 22:02:22 UTC-0400 (Wed, 11 Oct 2023 22:02:22 -0400)
> Ricky Boone
> is rumored to have said:
>
&
at 9:25 PM Bill Cole
wrote:
>
> On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
> Ricky Boone
> is rumored to have said:
>
> > Just a heads up, it appears that usssa[.]com has had their SendGrid
> > email sending account popped, and a bad actor ha
Just a heads up, it appears that usssa[.]com has had their SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it. The domain is defined in
60_welcomelist_auth.cf with def_welcomelist_auth/def_whitelist_auth
entries with *@*.usssa.com.
Many RBLs have policies in place against open resolvers, such as
Google DNS, OpenDNS, etc. You're on the right track, you need a local
resolver that is configured to query directly to the authoritative DNS
server.
Unbound, or any local resolver, would need to be configured to use
root hints to
Typo, I meant to say I was on SA 3.4.6.
On Wed, Aug 30, 2023, 3:22 PM Ricky Boone wrote:
> Something I noticed on a set of emails that were reported to me.
>
> I have custom rules to look out for certain names in From:name. The
> messages should have been caught by them,
Something I noticed on a set of emails that were reported to me.
I have custom rules to look out for certain names in From:name. The
messages should have been caught by them, however upon inspection the
name was UTF-8 encoded, and included a character that doesn't seem to
render, but interferes
the trick, though.
On Thu, Mar 3, 2022 at 1:48 AM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:
> On 2022-03-02 at 17:58:50 UTC-0500 (Wed, 2 Mar 2022 17:58:50 -0500)
> Ricky Boone
> is rumored to have said:
>
> > If this is the wrong forum to report this, let m
If this is the wrong forum to report this, let me know.
I'm trying to create a couple rules to identify questionable PDFs
(phishing, etc.). While evaluating the debug output from spamassassin for
the pdfinfo plugin, I noticed that some of the test file attributes aren't
being populated
want to point to the vault
server.
On Tue, Aug 3, 2021 at 10:27 PM Ricky Boone wrote:
> Throwing this out there... It does not solve the issue(s) with being on
> EL6, and it doesn't solve the issue with what may be happening with
> sa-update for 3.3.x, but it may be a potential interim
Throwing this out there... It does not solve the issue(s) with being on
EL6, and it doesn't solve the issue with what may be happening with
sa-update for 3.3.x, but it may be a potential interim solution to allow
your instance SpamAssassin to be more up to date in the meantime.
Seeing an interesting phishing campaign that appears to be
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters. Unfortunately I
can't share the exact example publicly without effectively recreating
the email, but here's a summary of
On Sun, Feb 14, 2021 at 4:45 PM John Hardin wrote:
>
> I've added FUZZY rules for amazon, apple, microsoft, facebook, paypal and
> norton to my sandbox, they are likely going to be fairly commonB.
Looks like the FUZZY_PAYPAL rule may need word boundaries added to the
regex. I'm seeing it catch
On Thu, Feb 18, 2021 at 7:08 PM John Hardin wrote:
>
> In our case it's best to upload an entire email (all headers intact and
> with as little obfuscation as possible) to something like Pastebin, then
> post the URL to that here so it can be downloaded. This keeps the spample
> from being
Nice. I've copied scrubbed versions of what I've seen so far here:
https://gitlab.com/-/snippets/2079108 (I can never remember if it is
appropriate to include attachments to mailing lists like this).
On Thu, Feb 18, 2021 at 1:13 PM Giovanni Bechis wrote:
>
> On 2/18/21 6:37 PM, Ricky
Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.
Yep, so far so good. Thank you again for the pointers and creating
the rules so quickly.
On Tue, Feb 16, 2021 at 9:06 PM John Hardin wrote:
>
> On Tue, 16 Feb 2021, Ricky Boone wrote:
>
> > On Mon, Feb 15, 2021 at 12:16 AM John Hardin wrote:
> >>
> >> OK, I add
On Mon, Feb 15, 2021 at 12:16 AM John Hardin wrote:
>
> OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.
>
> If they don't perform well in masscheck you can always grab them out of my
> sandbox for your local rules.
>
> Masscheck results:
>
>
On Sun, Feb 14, 2021 at 4:45 PM John Hardin wrote:
>
> On Sun, 14 Feb 2021, Ricky Boone wrote:
>
> > What are the community's thoughts on handling spam/phishing that utilize
> > homoglyphs to obfuscate the brands they're targeting? Are there any
> > plugins that ar
What are the community's thoughts on handling spam/phishing that utilize
homoglyphs to obfuscate the brands they're targeting? Are there any
plugins that are in development that might assist with catching these?
For example, here are some phrases that I've been monitoring from reported
messages:
Good afternoon.
I'm seeing an increase in spam/phishing that is utilizing Google Docs. I
see a rule that seems to be intended to flag certain Google Docs related
URLs, but not the ones I'm seeing.
72_active.cf:uri __URI_GOOGLE_DOC
Looks like I might have replied to Kris and not the maillist. Sorry if
this shows up twice.
Made a couple adjustments to the two patterns and merged them into one if
anyone is interested.
/^\[[^\]]+
(?:helo|rdns)=[\w\d.]+\.(?:outbound-e?mail|shared)\.sendgrid\.net /
On Thu, Jul 16, 2020 at
21 matches
Mail list logo