They are very different tools.
One uses an SMTP RFC repeat clause to understand whether the attacker is using
a real server, slowing burst connections and eventually adding the IP to the
firewall. This is limited to port 25, and it does not work against ddos
attacks, because pf is not that effi
On 12 Feb 2019, at 15:04, Rupert Gallagher wrote:
Ehhh not available on bsd with pf, or so it was the last time I
checked.
A good 'tarpit' tool that IS available for *BSD (originating on OpenBSD)
is 'spamd' which unfortunately shares a name with the daemon aspect of
SA. There's a port fo
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
Ehhh not available on bsd with pf, or so it was the last time I checked.
Bummer.
Good for you as you have it! It is a fantastic piece of aikido.
On Tue, Feb 12, 2019 at 18:19, John Hardin wrote:
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
On Tue, Feb 12, 2019 at 18:34, RW wrote:
> On Tue, 12 Feb 2019 16:49:27 +
> Rupert Gallagher wrote:
>
> Before the change, the
>> service stated that the IP fell into their spamtrap, whatever that
>> is.
>
> Seriously?
>
>> The fact remains that we have never sent mail to the gremlin,
>
> How
Ehhh not available on bsd with pf, or so it was the last time I checked.
Good for you as you have it! It is a fantastic piece of aikido.
On Tue, Feb 12, 2019 at 18:19, John Hardin wrote:
> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>
>> and we have now blocked their IP at the firewall,
>
I like it!
On Tue, Feb 12, 2019 at 18:15, John Hardin wrote:
> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>
>> Let see if the mail arrives with the correct escaping this time.
>>
>> body __HAS_URI /(http|https):///
>> tflags __HAS_URI multiple
>> meta TMU ( _HAS_URI > 10 )
>> describe TMU Too
Ah, ok...
On Tue, Feb 12, 2019 at 18:04, RW wrote:
> On Tue, 12 Feb 2019 16:38:47 +
> Rupert Gallagher wrote:
>
>> Let see if the mail arrives with the correct escaping this time.
>>
>> body __HAS_URI /(http|https):///
>> tflags __HAS_URI multiple
>> meta TMU ( _HAS_URI > 10 )
>> describe TM
On Tue, 12 Feb 2019 16:49:27 +
Rupert Gallagher wrote:
Before the change, the
> service stated that the IP fell into their spamtrap, whatever that
> is.
Seriously?
> The fact remains that we have never sent mail to the gremlin,
How can you possibly know that you haven't sent anything to
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
and we have now blocked their IP at the firewall,
A suggestion: it may hurt them more if you TCP tarpit them instead of just
blocking them. That's what I do.
Perhaps a little stale, and overkill for manual punishment, but it
documents the tools:
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
Let see if the mail arrives with the correct escaping this time.
body __HAS_URI /(http|https):\/\//
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
How about:
uri __HAS_URI /^http/i
On Tue, 12 Feb 2019 16:38:47 +
Rupert Gallagher wrote:
> Let see if the mail arrives with the correct escaping this time.
>
> body __HAS_URI /(http|https):\/\//
> tflags __HAS_URI multiple
> meta TMU ( _HAS_URI > 10 )
> describe TMU Too many URIs (>10)
> score TMU 5.0
>
> Those who fill
Note that the "too many uris" thing has nothing to do with the Russian gremlin
who, in the meantime, has disabled the part of the rbl that explains why the IP
was listed. Before the change, the service stated that the IP fell into their
spamtrap, whatever that is. The fact remains that we have n
Let see if the mail arrives with the correct escaping this time.
body __HAS_URI /(http|https):\/\//
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
As rightly noted, the same link is counted twice, for text and html bodies when
they are pres
On Tue, 12 Feb 2019 09:44:02 +
MAYER Hans wrote:
> “full” statement should be: full __HAS_URI /(http|https):\/\//
This is still a poor rule, "full" is actually the worst type to use.
Both full and rawbody can find a lot more links than are relevant. It's
already been mentioned that
biz/?beiqv
<http://beiqv.biz/?beiqv> beiqv
I learned a lot. Your reply was very helpful.
Kind regards
Hans
From: Rupert Gallagher
Sent: Thursday, February 7, 2019 7:37 PM
To: MAYER Hans ; SA
Subject: Re: RE: New type of SPAM aggression
full __HAS_URI /(http|https):///
tflags __HAS_
On Thu, 7 Feb 2019, Rupert Gallagher wrote:
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
Beaware, if the mail has properly-formed HTML and plain-text alternate
versions, that will double-count every URI.
Rupert Gallagher skrev den 2019-02-07 19:37:
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
mixed http and https, real spam
browsers would not like it
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
On Thu, Feb 7, 2019 at 09:12, MAYER Hans wrote:
>
>
>> … All emails were spam with links. …
>
> We receive such spam mails with a lot of links too.
>
> Is there
> … All emails were spam with links. …
We receive such spam mails with a lot of links too.
Is there a rule which detects a certain amount of links inside an e-mail ?
// Hans
--
From: Rupert Gallagher
Sent: Wednesday, February 6, 2019 12:55 PM
To: SA
Subject: New type of SPAM aggress
On Wed, Feb 6, 2019 at 15:42, RW wrote:
> On Wed, 06 Feb 2019 11:55:07 +
> Rupert Gallagher wrote:
>
>> This is to inform about a new type of SPAM aggression.
>>
>> We received from Russia, for months, and redirected them
>> automatically to an administrat
14:40, Rupert Gallagher wrote:
>> The spammers at gremlin.ru have just created a homepage, with no
>> information on how to delist an IP.
>>
>> Their fake dnsbl is listed as genuine in at least two antispam engines.
>>
>>
>> On Wed, Feb 6, 2019 at 12:55,
write to "postmaster AT example DOT net" and ask them to re-test your
server.
Paul
From: Rupert Gallagher
Reply-To: Rupert Gallagher
Date: Wednesday, 6 February 2019 at 11:55
To: SA
Subject: New type of SPAM aggression
This is to inform about a new type of SPAM aggression.
We rece
On Wed, 06 Feb 2019 11:55:07 +
Rupert Gallagher wrote:
> This is to inform about a new type of SPAM aggression.
>
> We received from Russia, for months, and redirected them
> automatically to an administrative address for manual inspection. All
> emails were spam with
s genuine in at least two antispam engines.
On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher <mailto:r...@protonmail.com>> wrote:
This is to inform about a new type of SPAM aggression.
We received from Russia, for months, and redirected them automatically
to an administrative address fo
The spammers at gremlin.ru have just created a homepage, with no information on
how to delist an IP.
Their fake dnsbl is listed as genuine in at least two antispam engines.
On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher wrote:
> This is to inform about a new type of SPAM aggression.
>
This is to inform about a new type of SPAM aggression.
We received from Russia, for months, and redirected them automatically to an
administrative address for manual inspection. All emails were spam with links.
From the standpoint of the attacker(s), all emails were delivered, but none
turned
26 matches
Mail list logo