On Thu, 2013-04-11 at 18:25 -0400, Alex wrote:
> Hi,
>
> Recently I noticed that this rule was getting FPs from mail on a
> SourceForge-related mailing list that I thought should have
> nothing to
> do with Yahoo, so I added in another (obfuscated) rule. The
> combi
Hi,
Recently I noticed that this rule was getting FPs from mail on a
> SourceForge-related mailing list that I thought should have nothing to
> do with Yahoo, so I added in another (obfuscated) rule. The combination
> now looks like this:
>
> #
> # Yahoo message-ID but sender not Yahoo.
> #
> des
On 4/10/2013 9:00 PM, Alex wrote:
> Hi,
>
> > Would someone put some samples of Yahoo single link spam on
> PasteBin.
>
>> > I am trying to test my rules and I seem to be missing
>> some of the variations.
>> >
>> Here
Hi,
> Would someone put some samples of Yahoo single link spam on PasteBin.
> > I am trying to test my rules and I seem to be missing some of the
>> variations.
>> >
>> Here's an example: it is the message I developed the following rule
>> against
On 4/10/2013 7:42 PM, Alex wrote:
> Hi,
>
> > Would someone put some samples of Yahoo single link spam on
> PasteBin.
>
> > I am trying to test my rules and I seem to be missing some
> of the variations.
> >
> Here's an example: it
Hi,
> Would someone put some samples of Yahoo single link spam on PasteBin.
> > I am trying to test my rules and I seem to be missing some of the
> variations.
> >
> Here's an example: it is the message I developed the following rule
> against: http://pastebin.com
On 3/19/2013 4:54 PM, Alex wrote:
I know Kevin posted some rules, but they are no longer effective, as
they rely on fixed subjects or sender names.
My rules are metas where some of the fixed subjects were useful. The
sender names were just internal. However, I find the rules to be very
effecti
Hi,
> We need a rule to catch this. It looks like more data than it is but it's
> really little more than a single link. Like to see a rule that identifies
> it.
>
> ---262101065-1882747875-1361559395=:62570
> Content-Type: text/plain; charset=us-ascii
>
> http://www.eisingen.de/kb/m6ods3ohyayq.r
On 3/10/2013 3:37 PM, Dan Mahoney, System Admin wrote:
Here's the current version I'm using based on 3.4.0 trunk:
#YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE
COMPROMISED ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
header __KAM_YAHOO1From =~
On Fri, 22 Feb 2013, Kevin A. McGrail wrote:
On 2/22/2013 3:27 PM, David F. Skoll wrote:
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies i
Hi,
>>> header __RP_D_00040_1 From:addr =~ /yahoo/i
>>> header __RP_D_00040_2 To =~ /(:?@.*?){5}/
>>> body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
>>> meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
>>> describe RP_D_00040 Yahoo single-line URL spam
>>
>>
On Sun, 3 Mar 2013, Alex wrote:
Hi,
My latest attempt is this:
header __RP_D_00040_1 From:addr =~ /yahoo/i
header __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
describe
Hi,
> My latest attempt is this:
>
> header __RP_D_00040_1 From:addr =~ /yahoo/i
> header __RP_D_00040_2 To =~ /(:?@.*?){5}/
> body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
> meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
> describe RP_D_00040 Yahoo single
Hello David,
Friday, March 1, 2013, 5:43:37 PM, you wrote:
DFS> Can others confirm this pattern?
No.
URL in yesterday's is http://b23144.s3-website-ap-northeast-1.amazonaws.com
--
Best regards,
Niamhmailto:ni...@fullbore.co.uk
pgpdNMFoMBvjX.pgp
Description: PGP
Hello David,
Friday, March 1, 2013, 5:33:55 PM, you wrote:
DFS> are people still seeing these Yahoo single-link spams?
Got one yesterday
--
Best regards,
Niamhmailto:ni...@fullbore.co.uk
pgpXCZ6plj3t7.pgp
Description: PGP signature
On Sat, 2 Mar 2013, Ned Slider wrote:
On 02/03/13 01:40, John Hardin wrote:
On Sat, 2 Mar 2013, Ned Slider wrote:
>
> header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
>
> Can someone explain the regex and why it fails to fire for 7 recipients?
If the username + domain name
On Sat, 2 Mar 2013, Wolfgang Zeikat wrote:
In an older episode, on 2013-03-02 02:40, John Hardin wrote:
>
> header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
>
> Can someone explain the regex and why it fails to fire for 7 recipients?
(@, followed by 5-30 non-@ characters) re
In an older episode, on 2013-03-02 02:40, John Hardin wrote:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
(@, followed by 5-30 non-@ characters) repeated three times.
Does that mean the same sequence
On 02/03/13 01:40, John Hardin wrote:
On Sat, 2 Mar 2013, Ned Slider wrote:
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5
with
no
On Sat, 2013-03-02 at 01:11 +, Ned Slider wrote:
> That said, I just checked my example, and __MANY_RECIPS failed to fire.
> Here's the current rule:
>
> header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
>
> Can someone explain the regex and why it fails to fire for 7 recipients?
On Sat, 2 Mar 2013, Ned Slider wrote:
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was hard
In an older episode, on 2013-03-02 02:19, Benny Pedersen wrote:
Ned Slider skrev den 2013-03-02 02:11:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
as i read it, it fires if there is more then 4 domains
Ned Slider skrev den 2013-03-02 02:11:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7
recipients?
as i read it, it fires if there is more then 4 domains, not only 5
recipients, just a wild guess from me since i am n
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...
I removed the similar rule a
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...
I removed the similar rule as your __RP_D_00040 from my systems to avoid
On Fri, 01 Mar 2013 14:39:09 -0500
Alexandre Boyer wrote:
> Pretty the same as what David suggests :-)
My latest attempt is this:
header __RP_D_00040_1 From:addr =~ /yahoo/i
header __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
meta RP_D
Right: the suggested pattern is working great, but there are some
variants as KAM says.
However I sense that these are not the same bots. The one with the "date
in body" is always the same (the spammer only changed the date format).
I heard about a cross site botnet exploit on Yahoo! and third pa
On 01/03/13 17:33, David F. Skoll wrote:
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.
Regards,
David.
Here's one from this morning:
http://pastebin.com/cuk595z6
that matches the pattern being discussed.
On Fri, 2013-03-01 at 12:33 -0500, David F. Skoll wrote:
> Somewhat OT... are people still seeing these Yahoo single-link spams?
> They seem to have stopped abruptly as far as I can tell.
>
I haven't seen one for a few days either, but think its still a useful
rule because it can't cost a lot to r
On 3/1/2013 12:43 PM, David F. Skoll wrote:
These are the common elements as far as I can see in the text/plain part
of the spam:
1) The URL always matches this regex:
http://\S+/\S+\.\s+\?
In other words, there's always a dot in the URL (not counting the dots
in the domain name itself) an
Hi,
These are the common elements as far as I can see in the text/plain part
of the spam:
1) The URL always matches this regex:
http://\S+/\S+\.\s+\?
In other words, there's always a dot in the URL (not counting the dots
in the domain name itself) and a question mark.
2) The URL is then fol
I saw 3 yesterday, yes. Scored 6.4 but
I use a high threshold so I can view the fringe spam.
On 3/1/2013 12:33 PM, David F. Skoll wrote:
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as
We don't see them as much as we used to, but they still make an appearance
every once and a while.
~ Anthony
- Original Message -
From: "David F. Skoll"
To: users@spamassassin.apache.org
Sent: Friday, March 1, 2013 9:33:55 AM
Subject: Re: Yahoo single link spam
Som
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.
Regards,
David.
On Fri, 2013-03-01 at 15:38 +, Scott Ostrander wrote:
> Would someone put some samples of Yahoo single link spam on PasteBin.
> I am trying to test my rules and I seem to be missing some of the variations.
>
Here's an example: it is the message I developed the following rule
Would someone put some samples of Yahoo single link spam on PasteBin.
I am trying to test my rules and I seem to be missing some of the variations.
Thanks,
Scott
-Original Message-
From: Marc Perkel [mailto:supp...@junkemailfilter.com]
Sent: Friday, February 22, 2013 12:20 PM
To: users
On Thu, 2013-02-28 at 20:34 -0500, Steve Prior wrote:
> I'm really starting to suspect that these spammers are scraping your public
> posts on Facebook and grabbing the names of people that commented on those
> posts, then using a Yahoo account and setting that name on the account before
> send
On 2/23/2013 10:56 AM, Kevin A. McGrail wrote:
I am 100% certain that it is compromised accounts on yahoo where they steal the
address books. They then seem to cross correlate and use common last names to
mail people using other compromised yahoo accounts. Though I need to check if
they have star
Hello,
I've discovered something... all of our samples of the Yahoo spam contain
a text/plain part that contains something like this:
http://www.majormedicaladvice.com/gfrqcov/ktr.2dd0ifqv?kj82bw2/25/2013 2:58:33
PMKaryn Armstrong
That is, the target URL is immediately followed by the date, a s
On Sun, 24 Feb 2013 18:35:04 +0100
Benny Pedersen wrote:
> David could you make this as a clamav logical signature ?, and test
> it ?
I don't know how to do that... sorry.
Regards,
David.
On 2/23/2013 10:56 AM, Kevin A. McGrail wrote:
Though I need to check if they have started forging as well through
other servers.
Just following up on this and checking the Yahoo! spam that I've been
researching, all of it is sent by Yahoo! accounts through Yahoo! with
real DKIM signatures.
Axb skrev den 2013-02-24 19:02:
I obviosuly didn't understand you , nor do I understand you now
doesn't matter...
now you understand why you are developper and i am not ? :=)))
i rember some that sayed it :(
On 02/24/2013 06:48 PM, Benny Pedersen wrote:
Axb skrev den 2013-02-24 18:35:
http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com
is there a possible to implement it ?
imho surbl using it, but it would be nice to have it live tested
What you're seei
Axb skrev den 2013-02-24 18:35:
http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com
is there a possible to implement it ?
imho surbl using it, but it would be nice to have it live tested
What you're seeing is other way round - mywot uses SURBL
If yo
Kevin A. McGrail skrev den 2013-02-22 21:56:
describeKAM_YAHOO Compromised Yahoo! Accounts Sending
Spam
inccorect, if thay are dkim signed its yahoo, if not its a silly
spammer
blacklist_from (all-yahoo-domains)
def_whitelist_from all-yahoo-domains)
would be more simple
the
On 02/24/2013 06:29 PM, Benny Pedersen wrote:
Marc Perkel skrev den 2013-02-22 21:20:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
http://www.mywot.com/en/scorecard/fox-enws.com/
http://w
David F. Skoll skrev den 2013-02-22 21:27:
HeaderMatches RegExp ^To:(.*?@.*?){5} AND
Envelope Sender Ends with@yahoo.com AND
MessageSize <6000
Well, ok... the MessageSize condition is tricky. And this rule does
kick up some fa
Marc Perkel skrev den 2013-02-22 21:20:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com
is there
I am 100% certain that it is compromised accounts on yahoo where they steal the
address books. They then seem to cross correlate and use common last names to
mail people using other compromised yahoo accounts. Though I need to check if
they have started forging as well through other servers.
On Fri, 2013-02-22 at 12:20 -0800, Marc Perkel wrote:
> We need a rule to catch this. It looks like more data than it is but
> it's really little more than a single link. Like to see a rule that
> identifies it.
>
> ---262101065-1882747875-1361559395=:62570
> Content-Type: text/plain; charset=us
Here's the current version I'm using based on 3.4.0 trunk:
We're seeing many different variations. For example, we see over
70 variations in the name (not just "Connor Hopkins").
Agreed. That's more of an internal meta because we had one person really
getting hammered. YMMV.
I've been curio
On 2/22/2013 4:01 PM, David F. Skoll wrote:
On Fri, 22 Feb 2013 15:56:38 -0500
"Kevin A. McGrail" wrote:
Here's the current version I'm using based on 3.4.0 trunk:
We're seeing many different variations. For example, we see over
70 variations in the name (not just "Connor Hopkins").
Agreed.
On Fri, 22 Feb 2013 15:56:38 -0500
"Kevin A. McGrail" wrote:
> Here's the current version I'm using based on 3.4.0 trunk:
We're seeing many different variations. For example, we see over
70 variations in the name (not just "Connor Hopkins").
Regards,
David.
On Fri, Feb 22, 2013 at 03:27:27PM -0500, David F. Skoll wrote:
> On Fri, 22 Feb 2013 12:20:22 -0800
> Marc Perkel wrote:
>
> > We need a rule to catch this. It looks like more data than it is but
> > it's really little more than a single link. Like to see a rule that
> > identifies it.
>
> Ou
On 2/22/2013 3:27 PM, David F. Skoll wrote:
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
Our product lets you make compound rules.
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel wrote:
> We need a rule to catch this. It looks like more data than it is but
> it's really little more than a single link. Like to see a rule that
> identifies it.
Our product lets you make compound rules. It should not be very hard
to translate
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
---262101065-1882747875-1361559395=:62570
Content-Type: text/plain; charset=us-ascii
http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycne
57 matches
Mail list logo