date:20180220


On 02/20/2018 04:08 PM, David Jones wrote:

On 02/20/2018 03:48 PM, David Jones wrote:

On 02/20/2018 12:57 PM, Kevin A. McGrail wrote:

On 2/20/2018 1:53 PM, David Jones wrote:
Over the years I have noticed junk/spam email coming from these 
servers so I created this rule:


header  ENA_RCVD_NOTRUST    Received =~ 
/\.(secureserver\.net|web-hosting\.com|websitewelcome\.com|inmotionhosting\.com|unifiedlayer\.com|ezhostingserver\.com|siteprotect\.com|internetbilisim\.net|privateemail\.com|registrar-servers\.com|emailsrvr\.com|registeredsite\.com) 
\[/


Well just spot checking, you've identified some of the largest ISPs 
on the planet.  Secure Server is Wild West/Godaddy WebsiteWelcome is 
HostGator, etc.




I knew they were major ISPs but spam still comes out of their servers 
at a higher rate than the occasional compromised account or bad 
customer of a good ESP (Exact Target, Mail Chimp, EMMA, etc).


I don't think they are going to be indicative of spam or ham and I 
would individually blacklist domains and contact their abuse.




I was doing that but always behind the whack-a-mole game.  I wanted to 
do the opposite and set a level playing field from a whitelist 
perspective for those servers by offsetting the whitelist negative 
scores to get them back to around zero and let Bayes plus other 
content-based rules determine the allow or block.


It doesn't seem like a good idea for whitelists to list these senders 
just because most of the email is ham.  If a small percentage is spam, 
then how do we report that back to Hostkarma and dnswl.org?  I can 
report it to SpamCop but that doesn't make it's way to the other 
whitelists.




SPF record for websitewelcome.com that Hostgator recommends to their 
customers:


v=spf1 include:spf.websitewelcome.com include:spf1.websitewelcome.com 
include:_spf.google.com


That is ridiculous!!!  It requires 8 DNS queries and shouldn't include 
Google's servers.




I just received this perfect example where BAYES_80, DCC, and 
UNWANTED_LANGUAGE_BODY were the primary hits that blocked this.  I see 
some with many whitelists that would normally bring it below the block 
threshold but now I have meta rules with ENA_RCVD_NOTRUST to add back 
points with local *_OFFSET rules.


https://pastebin.com/mjvB0MKg  (scored 10.96)

Score   Matching Rule   Description
3.20	BAYES_80	Bayesian analysis determined this message has a 80%-95% 
chance of being spam.
3.20	DCC_CHECK	Spam check using a checksum comparison with other mail 
servers on the Internet.

0.10DKIM_SIGNED Message has a DKIM or DK signature, not necessarily 
valid
-0.10   DKIM_VALID  Message has at least one valid DKIM or DK signature
0.01DMARC_NONE  
0.20ENA_NOT_DKIM_VALID_AU   
1.20ENA_RCVD_NOTRUSTReceived from servers not trusted
1.20ENA_RCVD_NOTRUST_MSPIKE_H2_OFFSET   
0.25HEADER_FROM_DIFFERENT_DOMAINS   
0.00HTML_MESSAGEHTML emails can be used to hide or obscure spam.
0.50JMQ_SPF_NEUTRAL_ALL 
-0.20   RCVD_IN_DNSWL_NONE  Sender listed at http://www.dnswl.org/, no trust
-1.20   RCVD_IN_MSPIKE_H2   Average reputation (+2)
-0.20   RCVD_IN_SENDERSCORE_80_89   
-0.00   SPF_PASSSPF: sender matches SPF record
2.80UNWANTED_LANGUAGE_BODY  Message written in an undesired language

--
David Jones

pyzor internal error on some messages

2018-02-20 Thread Alex

Hi,

Does anyone know what could be causing this? This is on fedora with
pyzor-1.1.0-1.20170904gitd14e980

Feb 20 22:08:07.475 [28639] dbg: pyzor: network tests on, attempting Pyzor
Feb 20 22:08:13.098 [28639] dbg: pyzor: pyzor is available: /usr/bin/pyzor
Feb 20 22:08:13.100 [28639] dbg: pyzor: opening pipe: /usr/bin/pyzor
--homedir /var/spool/amavisd --log-file
/var/spool/amavisd/.pyzor/pyzor.log check <
/tmp/.spamassassin286393LEW3Dtmp
Feb 20 22:08:13.289 [28639] dbg: pyzor: [28647] finished: exit 1
Feb 20 22:08:13.289 [28639] dbg: pyzor: got response: Traceback (most
recent call last):\n File "/usr/bin/pyzor", line 429, in \n
main()\n File "/usr/bin/pyzor", line 152, in main\n if not
dispatch(client, servers, config):\n File "/usr/bin/pyzor", line 260,
in check\n send_digest(digested, mock_runner, servers)\n File
"/usr/bin/pyzor", line 283, in send_digest\n _send_digest(runner,
servers[0], digested)\n File "/usr/bin/pyzor", line 274, in
_send_digest\n runner.run(server, (digested, server))\n File
"/usr/lib/python3.5/site-packages/pyzor/client.py", line 258, in run\n
response = self.routine(*args, **kwargs)\n File
"/usr/lib/python3.5/site-packages/pyzor/client.py", line 122, in
_mock_check\n pyzor.proto_version))\nTypeError: %b requires bytes, or
an object that implements __bytes__, not 'int'
Feb 20 22:08:13.290 [28639] warn: pyzor: check failed: internal error,
python traceback seen in response

It doesn't happen on every message, but it's been going on for a
while. I've only now noticed the full debug output while running
spamassassin against some individual messages.

Re: Junk mixed in with ham on whitelists

2018-02-20 Thread Benny Pedersen


David Jones skrev den 2018-02-21 00:14:


https://pastebin.com/mjvB0MKg  (scored 10.96)
-0.10   DKIM_VALID  Message has at least one valid DKIM or DK signature


Authentication-Results: smtp3i.ena.net;
	dkim=policy reason="signing key too small" (768-bit key) 
header.d=mails-express.com header.i=@mails-express.com 
header.b="Mv82gS9m"


why diffrent results ?

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

On 2/20/2018 6:05 PM, @lbutlr wrote:

On 2018-02-20 (08:30 MST), Rob McEwen wrote:

Spammers are starting to use this to evade spam filters,

This is not news. Spammers have been using shortness since 3 seconds after
tinyurl.com launched.

My "this" was /*specifically*/ referring to Google's shortner, or at
least the recent STRONG uptick in the abuse of that shortner. I was
already well aware of other similar things from other shortners. But
"this" wasn't referring to them. You infused thoughts/meaning into my
writing that really wasn't there. (be careful about assuming...) Also,
when you see my report further down, you'll understand why those others
are not nearly as much of a concern to me at the moment.

Keep in mind that, if a marketer is doing things the right way, they should
have no need to obfuscate their own domain name. They should instead proudly
use it and not feel the need to hide behind Google's shortner.

No, that is not at all true. The primary use of a shorter is to shorten a long
URL to something that someone can type in.

I've acknowledged that there are some good reasons for a shortner - but
the vast majority of the times I'm seeing them - in both ham and spam -
that is NOT the case! The are shortening things like average-sized
domains with either no directory, or with a short directory or page
names after the domain. This is the VAST MAJORITY of the shortners I'm
seeing in both hams and spams.

Clicking a URL in an email is the height of stupidity, so having a short URL
that someone can realistically type into a browser is much better.

If I spent just a little more time on this, I could collect a large
number of Google shortner URLs that are malicious - where my
malwarebytes is blocking access to the page to which it is trying to
redirect. And these are still "live"! Do you really think that more than
a tiny percent of those who saw those in their mailbox (both legit and
spams) are manually typing in the URL and not just clicking on it? And
in that exceedingly rare occasion where somebody types in the URL and it
redirects to a malicious page that tries to install a virus, are they
ANY better off than having just clicked on it? Even the best point I can
think of that you might have had - that this might help them to better
recognize a phishing URL for example - is lost since BOTH the phish and
their bank's web site is going to be indistinguishable until AFTER
they've launched the shortner (whether by clicking or typing). I think
you just mistakenly bolstered my argument against this over-usage (and
often inappropriate usage) of shortners!

THEREFORE: If you like having NOT-blacklisted IPs, be advised that the invaluement anti-spam DNSBL system is
now adding "bad" points to the scoring of all messages that use the "goo.gl" shortner,
and we're amplifying other "bad" points.
Well, at least you are warning people. However, what you are doing is,
frankly, dumb; if you think there's a huge problem, you can simply
check the target URLs.

That incurs a significant amount of extra resources for DNSBLs and spam
filters - and such automated lookups could also put a huge extra burden
on Google's servers - and who knows at this point if this is even
reliable - Google might easily start putting captchas in the way or
otherwise consider such lookups to be abusive and/or mistake them for
malicious bots... I'm definitely going to pursue this further - but
wow... that you would suggest this... I think spam puts ENOUGH burden on
spam filters and mail system as it is!

Yes, there are many legitimate uses of Google's shortner, too. However, we are
now at a point where a VERY large % (a majority?) of uses of these headed to a
typical user's mailbox are egregious spams, and a significant additional
portion are likely-spams.

Any evidence of this?

EVIDENCE/STATS:

I ran stats on a sample set of a few thousand mailboxes, over a period
of several hours today (mostly during business hours for these
particular organizations who use these mailboxes) - and this produced a
combined 24K legit messages, and 5K spams (I'm guessing that most
systems have more spams per amount of hams? But those were the numbers
for this server.)

---
NOTE: The sum of individual shortner-hits totals below can be LARGER
than the total messages that had hits on ANY shortner - Why? - Because
in a few cases, the same message can have hits on more than one of these
shortners

---

I SEARCHED EACH HAM AND SPAM CORPUS FOR MANY OF HUNDREDS OF URL SHORTNERS

HERE ARE THE RESULTS:

---
STATS FROM SPAM:
286 total spams blocked that had a shortner, out of hundreds of URL
shortners I had searched on
(<10 that *MIGHT* be FPs - they were definitely questionable at best -
btw, zero of those questionable ones led to ANY kind of invaluement
blacklisting, even with

Re: Junk mixed in with ham on whitelists


On 02/20/2018 03:48 PM, David Jones wrote:

On 02/20/2018 12:57 PM, Kevin A. McGrail wrote:

On 2/20/2018 1:53 PM, David Jones wrote:
Over the years I have noticed junk/spam email coming from these 
servers so I created this rule:


header  ENA_RCVD_NOTRUST    Received =~ 
/\.(secureserver\.net|web-hosting\.com|websitewelcome\.com|inmotionhosting\.com|unifiedlayer\.com|ezhostingserver\.com|siteprotect\.com|internetbilisim\.net|privateemail\.com|registrar-servers\.com|emailsrvr\.com|registeredsite\.com) 
\[/


Well just spot checking, you've identified some of the largest ISPs on 
the planet.  Secure Server is Wild West/Godaddy WebsiteWelcome is 
HostGator, etc.




I knew they were major ISPs but spam still comes out of their servers at 
a higher rate than the occasional compromised account or bad customer of 
a good ESP (Exact Target, Mail Chimp, EMMA, etc).


I don't think they are going to be indicative of spam or ham and I 
would individually blacklist domains and contact their abuse.




I was doing that but always behind the whack-a-mole game.  I wanted to 
do the opposite and set a level playing field from a whitelist 
perspective for those servers by offsetting the whitelist negative 
scores to get them back to around zero and let Bayes plus other 
content-based rules determine the allow or block.


It doesn't seem like a good idea for whitelists to list these senders 
just because most of the email is ham.  If a small percentage is spam, 
then how do we report that back to Hostkarma and dnswl.org?  I can 
report it to SpamCop but that doesn't make it's way to the other 
whitelists.




SPF record for websitewelcome.com that Hostgator recommends to their 
customers:


v=spf1 include:spf.websitewelcome.com include:spf1.websitewelcome.com 
include:_spf.google.com


That is ridiculous!!!  It requires 8 DNS queries and shouldn't include 
Google's servers.


--
David Jones

Re: Junk mixed in with ham on whitelists

2018-02-20 Thread Benny Pedersen


David Jones skrev den 2018-02-20 23:08:


That is ridiculous!!!  It requires 8 DNS queries and shouldn't include
Google's servers.


+1

v=spf1 ip4:23.83.208.1/20 ip4:23.91.112.0/20 ip4:46.232.183.0/24 
ip4:50.87.152.0/21 ip4:50.116.64.0/18 ip4:64.233.160.0/19 
ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 
ip4:74.125.0.0/16 ip4:100.42.48.0/20 ip4:104.152.64.0/21 
ip4:104.171.0.0/20 ip4:108.167.128.0/18 ip4:108.175.144.0/20 
ip4:108.177.8.0/21 ip4:108.177.96.0/19 ip4:108.179.192.0/18 
ip4:162.144.0.0/16 ip4:162.253.144.0/21 ip4:162.254.160.0/21 
ip4:172.217.0.0/19 ip4:172.217.32.0/20 include:spf1.websitewelcome.com 
?all


v=spf1 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 
ip4:173.194.0.0/16 ip4:177.153.0.128/25 ip4:191.252.57.0/25 
ip4:192.169.48.0/20 ip4:192.185.0.0/16 ip4:198.58.80.0/20 
ip4:198.252.64.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 
ip4:216.172.160.0/19 ip4:216.239.32.0/19 ip6:2001:4860:4000::/36 
ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 
ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all


consider it +all

is there a plan for max number of ips in a valid spf ?

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

On 2018-02-20 (08:30 MST), Rob McEwen  wrote:
> 
> Spammers are starting to use this to evade spam filters,

This is not news. Spammers have been using shortness since 3 seconds after 
tinyurl.com launched.

> Keep in mind that, if a marketer is doing things the right way, they should 
> have no need to obfuscate their own domain name. They should instead proudly 
> use it and not feel the need to hide behind Google's shortner.

No, that is not at all true. The primary use of a shorter is to shorten a long 
URL to something that someone can type in.

Clicking a URL in an email is the height of stupidity, so having a short URL 
that someone can realistically type into a browser is much better.

> Yes, there are many legitimate uses of Google's shortner, too. However, we 
> are now at a point where a VERY large % (a majority?) of uses of these headed 
> to a typical user's mailbox are egregious spams, and a significant additional 
> portion are likely-spams.

Any evidence of this?

> THEREFORE: If you like having NOT-blacklisted IPs, be advised that the 
> invaluement anti-spam DNSBL system is now adding "bad" points to the scoring 
> of all messages that use the "goo.gl" shortner, and we're amplifying other 
> "bad" points.

Well, at least you are warning people. However, what you are doing is, frankly, 
dumb; if you think there's a huge problem, you can simply check the target URLs.

-- 
I've always had a flair for stage directions.

Re: Blacklist for reply-to?

On 2018-02-20 (06:02 MST), Rupert Gallagher  wrote:
> 
> Do you have the legal right to do so?

Absolutely.

No one gets to inflict a contract on me. Especially not a entirely stupid 
nonsense thing that like that piece of crap that has no legal weight whatsoever.

-- 
We are born naked, wet and hungry; then it's all downhill.

Re: Junk mixed in with ham on whitelists

2018-02-20 Thread Bill Cole


On 20 Feb 2018, at 16:48, David Jones wrote:

It doesn't seem like a good idea for whitelists to list these senders 
just because most of the email is ham.


I can see no evidence for that in a quick check of my personal mail. In 
10 years:


68 messages
50 spam (all reported)
6 replies to spam reports
2 OoO Autoreplies to mailing messages with vacation info for guys I 
didn't know.

8 messages to single-sender (webite-specific) addresses
2 messages from Namecheap themselves (privateemail.com ) trying to 
arrange an automatic monitoring rig for when their space lands on my 
(extremely irrelevant...) blacklist or a FBL for when I get spam from 
them. This raises the question: if a company whose business model is 
dependent on snowshoe spammers and domain squatters sends email asking 
for unpaid help in evading recognition of their essential evil, is it 
spam?


In the previous decade: 64 messages, 56 spams, 8 ham (all from 3 
websites to tagged addresses.)


Of course, my personal email isn't representative. I reject a 
substantial fraction of the mail from the networks where those domains 
have servers, and for a complex of reasons I have extremely high 
confidence in those rejections being pure spam. So, the above is less 
spammy than if I tagged and delivered.


What's special about such sources isn't that they're mostly ham or even 
significantly less spammy than a random sample of mail, it's that they 
have a lot of tiny customers who barely use email and occasional waves 
of transient spammers.  It makes them hard to pigeonhole either way.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)


On 2/21/2018 1:17 AM, @lbutlr wrote:

goo.gl (and other shorteners) are used for far more than email.
That said, most my incoming email is rejected long before it get to 
any sort of URI lookups based on just the transaction information, 
That is to say, upwards of 90% of incoming mail is rejected before DATA. 


That is besides the point. I'm discussing the more elusive spams that 
often slip past spam filters and are difficult to block. I'm not very 
concerned with the "low hanging fruit" that you're describing - that is 
ANOTHER topic!



286 total spams blocked that had a shortner,

That's not enough to have any sort of reliable statistical data.


This is what was pulled from a corpus of 5K spams. Are you sure you 
didn't get confused and think I said that my total corpus I searched 
only involved 286 spams to start with?


Also, yes, different data batches from different sources can have 
different idiosyncrasies - but to discount this as not reliable due to 
being too small of sample size - is laughable. The server has a good 
variety of dozens of different domains and thousand of different users. 
These are actual "brick and mortar" businesses in the US with real 
people: Schools, law firms, real estate companies, manufacturing 
companies, service-oriented companies - so there is a SUBSTANTIAL 
variety. At the same time, I've had a distinct uptick in complaints 
about spam where the goo.gl shortner was a large factor in recent 
unblocked spams complaints - where those complaints are normally few and 
far between. With changes I've made in the past few days, the number of 
such spams slipping past my filter was been sharply reduced. Also, over 
the years, I've noticed that patterns I seen on my server, like this 
one, often match patterns that others report. It defies Occam's Razor to 
suggestion that I have this magical concentration of egregious goo.gl 
shortner spams that is magically hitting these very diverse and 
unrelated companies for whom I host mail, and not hitting elsewhere. 
That is how statistics tend to work. The next time you read about a poll 
that a newpaper or news show conducted, you may be shocked to learn that 
this poll that gave a nationwide estimate with a small margin of error - 
often only had about a thousand participants. My study isn't as 
scientific because my users aren't perfectly random. But it is diverse 
enough to simulate a sufficient amount of randomness so as to be an 
extremely good indicator. Likewise, whenever I hear about a new spam 
trend that is effecting many people, I pretty much never come up empty 
when searching for examples of that hitting my servers.



187 total legit messages had a hit on at least one of hundreds of URL shortners

So the use of a shortner is a poor spam indicator. Even in your corpus, and a 
negligible indicator even when specifically looking at goo.gl


You have an amazing talent for missing the point. Most often, when used 
in legit mail... it was more of an afterthought - such as someone 
sending a link to a Google maps reference - but yet where the sender was 
NOT using the shortner for obfuscation of spammer's domains, or even for 
their mail hyperlinks. But THAT is what happened when these were used in 
spams, where it was used to HIDE identity by obfuscating their main 
links. So there is a strong correlation right there. But you want an 
"all or none" strawman to argue against, while you conveniently ignore 
many points I've made. Yes - it is frustrating that it is NOT extremely 
easy to differentiate the ones who use it for obfuscation from the ones 
have more appropriate usages. But there are ways. This is why I had to 
spend some hours making adjustments to my system - not some minutes. You 
make a good point that it is unwise to outright block ALL messages due 
to them having a shortner, or having the goo.gl shortner - but I'm light 
years more sophisticated than that - and I haven't argued that even one 
time in this thread.


Another problem with your statement is that if this loophole isn't 
addressed it will only get larger. Also, many certain of these spams are 
already very difficult to block - but would be very easy to block if the 
spammer wasn't hiding behind the shortner. That is a real problem that 
STILL exists regardless of how often shortners are used in legit mail - 
and regardless of how often they are used in spams - but you don't want 
to face that truth, it seems?


The BOTTOM LINE is that anything that (a) helps blacklist those senders 
who are doing this obfuscation in order to facilitate sending spam -AND- 
(b) motivate marketers and ESPs (& their clients) to avoid this tactic - 
is a step in the right direction.



Google's shortner is DOMINATING in its spam usage, where 92% (262 of 286) of 
ALL spam that contained shortners used Google.

But about 25% of goo.gl containing email is not spam, by your own numbers. So, 
a very poor metric.



A poor metric if only idiots ran spam filters and

Re: Blacklist for reply-to?

You are wrong.

Sent from ProtonMail Mobile

On Wed, Feb 21, 2018 at 00:07, @lbutlr  wrote:

> On 2018-02-20 (06:02 MST), Rupert Gallagher wrote: > > Do you have the legal 
> right to do so? Absolutely. No one gets to inflict a contract on me. 
> Especially not a entirely stupid nonsense thing that like that piece of crap 
> that has no legal weight whatsoever. -- We are born naked, wet and hungry; 
> then it's all downhill. @protonmail.com>

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

On 2018-02-20 (19:42 MST), Rob McEwen  wrote:
> 
> I ran stats on a sample set of a few thousand mailboxes, over a period of 
> several hours today (mostly during business hours for these particular 
> organizations who use these mailboxes) - and this produced a combined 24K 
> legit messages, and 5K spams (I'm guessing that most systems have more spams 
> per amount of hams? But those were the numbers for this server.)

goo.gl (and other shorteners) are used for far more than email.

That said, most my incoming email is rejected long before it get to any sort of 
URI lookups based on just the transaction information, That is to say, upwards 
of 90% of incoming mail is rejected before DATA.

> 286 total spams blocked that had a shortner,

That's not enough to have any sort of reliable statistical data.

> 187 total legit messages had a hit on at least one of hundreds of URL 
> shortners 

So the use of a shortner is a poor spam indicator. Even in your corpus, and a 
negligible indicator even when specifically looking at goo.gl.

> Google's shortner is DOMINATING in its spam usage, where 92% (262 of 286) of 
> ALL spam that contained shortners used Google. 

But about 25% of goo.gl containing email is not spam, by your own numbers. So, 
a very poor metric.

-- 
"You can speak soon and write like a graduate college if me let you help
for a day of 15 minutes" "1963" Issue #1

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

On 2018-02-20 (22:10 MST), Reindl Harald  wrote:
> 
> you may hit confirmation-urls (both ham and spam), trigger actions, trigger 
> *one-time* urls which are invalid for the user after a dumb bot used them not 
> talking about that it would be illegal in many countries in case of private 
> ham-mails

As I suspected, it is possible to get the goo.gl target URL without loading the 
site, though using curl is probably not realistic in this specific case.

$ curl -s "http://goo.gl/ylUAd; | grep -o "http[^\"]*"
http://www.hollywoodreporter.com/thr-esq/donald-trump-threatens-sue-macy-422135

$ curl -s "http://bit.ly/savecastle; | grep -o "http[^\"]*"
http://community.livejournal.com/castle_tv/28872.html

Doesn't work with t.co, but that is not surprising since twitter uses that 
specifically to hide URLs, considering them all their property that must go 
through their servers.

-- 
Mos Eisley spaceport. You will never find a more wretched hive of scum
and villainy. We must be cautious.

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)


On 2/21/2018 1:38 AM, @lbutlr wrote:

As I suspected, it is possible to get the goo.gl target URL without loading the 
site, though using curl is probably not realistic in this specific case.



That is an idea worth exploring! Some might greatly benefit from that.

However:

(a) it might not "scale" for high volume mail flows and DNSBLs who, like 
invaluement, process dozens (or more) spams per second.


(b) and this isn't going to suddenly become a feature inside of many 
types of spam filtering hardware and software overnight... that could 
even take years, if it could ever even gain traction? It is taking into 
the decades just to get some of those software and hardware vendors to 
add support for URI blacklists, or support to for adding custom 3rd 
party URI blacklists. If that is taking literally decades - they are not 
going to add this feature within the foreseeable future.


So please don't think for a second that this somehow makes the plans I 
had described as unnecessary.


--
Rob McEwen
https://www.invaluement.com

Re: Blacklist for reply-to?

Beware that companies use a legal note in their signature as advised by their 
lawyers, and many individuals do the same, to inform the reader about laws that 
apply regardless of where or when you are reading their note.

A mail from Europe is subject to data protection. It does not matter if you 
disagree.

R

On Wed, Feb 21, 2018 at 00:01, Reindl Harald  wrote:

> bullshit any disclaimer at the end of the message you already read is useless 
> to start with - and send a message to the public with a disclaimer you can 
> only read after the other content you already have read is nothing but 
> idiotic as well as using accounts which add such disclaimers for mailing 
> lists period Am 20.02.2018 um 22:37 schrieb Rupert Gallagher: > The matter is 
> controversial. Lists have own defaults, who often > abuse their original aim 
> of mere forwarding, especially when they > redistribute from a long-term 
> archive.  On the other hand, people have > own default banners for all 
> outgoing correspondence, some with explicit > reference to the applicable law 
> and company policy. Sparks happen when > they meet. A list's standpoint may 
> be: if you do not want to be > archived, then do not post. A person's 
> standpoint may be > that a mailing list standing as official publication is 
> ludicrous, > while individuals have a well established human right to freedom 
> of > speach. There are so many twists here that only a seasoned lawyer may > 
> have tell right from wrong. > > On Tue, Feb 20, 2018 at 14:55, Reindl Harald 
> > wrote: >> Am 20.02.2018 um 14:02 schrieb Rupert Gallagher: > Do you have >> 
> the legal right to do so? does the fool with the disclaimer have any >> legal 
> right to define whatever terms when sending to a public >> mailing-list? > On 
> Tue, Feb 20, 2018 at 00:23, @lbutlr > wrote: >> On >> 2018-02-19 (09:57 MST), 
> Paul Stead wrote: > ... >>  I reject your terms @thelounge.net> 
> @thelounge.net>

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-02-20 Thread Charles Sprickman


> On Feb 21, 2018, at 1:38 AM, @lbutlr  wrote:
> 
> On 2018-02-20 (22:10 MST), Reindl Harald  wrote:
>> 
>> you may hit confirmation-urls (both ham and spam), trigger actions, trigger 
>> *one-time* urls which are invalid for the user after a dumb bot used them 
>> not talking about that it would be illegal in many countries in case of 
>> private ham-mails
> 
> As I suspected, it is possible to get the goo.gl target URL without loading 
> the site, though using curl is probably not realistic in this specific case.
> 
> $ curl -s "http://goo.gl/ylUAd; | grep -o "http[^\"]*"
> http://www.hollywoodreporter.com/thr-esq/donald-trump-threatens-sue-macy-422135
>  
> 

You can also see all the analytics by appending “.info” to the URL, eg: 
http://goo.gl/ylUAd .info

Charles

> 
> $ curl -s "http://bit.ly/savecastle; | grep -o "http[^\"]*"
> http://community.livejournal.com/castle_tv/28872.html
> 
> Doesn't work with t.co, but that is not surprising since twitter uses that 
> specifically to hide URLs, considering them all their property that must go 
> through their servers.
> 
> -- 
> Mos Eisley spaceport. You will never find a more wretched hive of scum
> and villainy. We must be cautious.
>

Re: Blacklist for reply-to?

2018-02-20 Thread Daniele Duca


On 18/02/2018 21:06, Kenneth Porter wrote:


Is there a blacklist for domains in the reply-to header?

I've noticed a lot of spam with no URL and mutating From but the 
reply-to domain is always aliyun dot com. I want to add a site-wide 
blacklist for that.
If you are willing to write a little SA plugin and possibly mantain your 
own dnsbl you can use something like this:


sub check_email_headers {
  my ($self, $msg) = @_;
  my %headers;
  if (defined($msg->get( 'Reply-To:addr' ))) {
    $headers{"Reply-To"} = $msg->get( 'Reply-To:addr' );
    }
    foreach my $header ( keys %headers) {
    my @addresses = Email::Address->parse($headers{$header});
    for my $address (@addresses) {
    if (is_domain($address->host)) {
        my $parser = Domain::PublicSuffix->new();

    # domain is in $parser->get_root_domain($address->host) , you 
can now look it up on your own dnsbl, Spamhaus DBL etc..


    }
  }
  return 0;
}

I personally also check the domain in the body From, useful in example 
to catch legit abused accounts that have the return-path set as the 
abused account but the body From set differently.


Also, the "image editing" spam is almost all caught by the MSBL 
(https://msbl.org/) , take a look at that bl and their plugin for more 
inspiration


Daniele Duca

Re: Blacklist for reply-to?

Do you have the legal right to do so?

On Tue, Feb 20, 2018 at 00:23, @lbutlr  wrote:

> On 2018-02-19 (09:57 MST), Paul Stead wrote: > ...@zeninternet.co.uk>

>  I reject your terms. @zeninternet.co.uk>

Save the date: ApacheCon North America, September 24-27 in Montréal

2018-02-20 Thread Rich Bowen


Dear Apache Enthusiast,

(You’re receiving this message because you’re subscribed to a user@ or 
dev@ list of one or more Apache Software Foundation projects.)


We’re pleased to announce the upcoming ApacheCon [1] in Montréal, 
September 24-27. This event is all about you — the Apache project community.


We’ll have four tracks of technical content this time, as well as lots 
of opportunities to connect with your project community, hack on the 
code, and learn about other related (and unrelated!) projects across the 
foundation.


The Call For Papers (CFP) [2] and registration are now open. Register 
early to take advantage of the early bird prices and secure your place 
at the event hotel.


Important dates
March 30: CFP closes
April 20: CFP notifications sent
	August 24: Hotel room block closes (please do not wait until the last 
minute)


Follow @ApacheCon on Twitter to be the first to hear announcements about 
keynotes, the schedule, evening events, and everything you can expect to 
see at the event.


See you in Montréal!

Sincerely, Rich Bowen, V.P. Events,
on behalf of the entire ApacheCon team

[1] http://www.apachecon.com/acna18
[2] https://cfp.apachecon.com/conference.html?apachecon-north-america-2018

The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)


RE: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

WARNING FOR ESPs AND MARKETERS: Google's "goo.gl" shortner is OUT OF 
CONTROL.


Spammers are starting to use this to evade spam filters, and Google 
isn't keeping up with the abuse, nor shutting these down fast enough. 
Along with blackhat spammers, we're seeing evidence that many 
gray-ish-hat spammers are jumping on this bandwagon, in the hopes that 
they will get more mail delivered if they can avoid using their domain 
in the clickable links. Keep in mind that, if a marketer is doing things 
the right way, they should have no need to obfuscate their own domain 
name. They should instead proudly use it and not feel the need to hide 
behind Google's shortner. Yes, there are many legitimate uses of 
Google's shortner, too. However, we are now at a point where a VERY 
large % (a majority?) of uses of these headed to a typical user's 
mailbox are egregious spams, and a significant additional portion are 
likely-spams. THEREFORE: If you like having NOT-blacklisted IPs, be 
advised that the invaluement anti-spam DNSBL system is now adding "bad" 
points to the scoring of all messages that use the "goo.gl" shortner, 
and we're amplifying other "bad" points. (We're also doing various 
sophisticated things to minimize potential resulting FPs, too. But this 
will still put MANY marginal IPs and domains into our blacklists that 
normally might have barely avoided an invaluement blacklisting!)


YOU HAVE BEEN WARNED! DON'T ALLOW YOUR CLIENTS TO DO THIS!

ALSO: We're very seriously evaluating the option of converting each 
shortner to the URL it redirects to - and then potentially starting to 
add those domains or IPs within those URLs to our ivmURI domain/URI 
blacklist. This might not cause other such messages to get blocked, but 
it will have other negative repercussions for other uses of that domain.


--
Rob McEwen
https://www.invaluement.com

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)


On 2/20/2018 10:57 AM, Reindl Harald wrote:
and how do you imagine that i prevent paying customers to use whatever 
url-shortener?


Perhaps use the SAME methods that an ESP would use to prevent a customer 
from sending an egregious phish (or terminate their account for sending 
a phish). Of course, I also recognize that an egregious phish is much 
worse. But my point is that such abuse monitoring and prevention is a 
real thing for ESPs! Yes, some ESPs are more sophisticated than others, 
where they do a better job at this than others. For example, I've 
received two egregious phishes to my own email address, from MailGun IP 
space, within the past several months. I alerted them in both instances 
and hopefully they are improving their system? In contrast, I don't 
think I've ever seen such a phish from Exact Target, from example. That 
isn't by accident! Some do a better job of this than others. And even 
though no ESP can be perfect - that doesn't mean they can't improve. And 
we ALL have to constantly shift our tactics to deal with emerging 
realities like this one - or risk getting left behind by our competitors 
who do keep up.


Also, getting ESPs to pass this message on to their clients, even if 
just adding this to their instructions for clients, even if just as a 
"best practices" warning... might also go a long way.


when you start list to many legit servers because of that you RBL will 
be no longer useable for responsible admins which primary job is 
receiove and deliver email and not to reject it 



I'm extremely confident that this won't happen. Most likely, a few 
marginal ESPs and marketers will get blacklisted who were previously 
just barely avoiding detection. Also, we OFTEN get outliers (such as an 
occasional VERY bad spam that came from a normally VERY good sender), 
and "decoys", too! In those cases, if those messages had led to an 
automatic blacklisting, and we didn't FIRST check those domains and IPs 
against our very sophisticated "false positive prevention filter" - then 
what you described - would have happened a long time ago already. But, 
instead, invaluement's reputation for low False Positives speaks for 
itself. Given what I know about how invaluement works "under the hood", 
I can say with confidence that it is practically impossible for this 
change to put a dent in our hard-earned low-FP reputation. But this 
COULD cause problems for some already dark-gray-hat ESPs who let this 
practice run rampant.


--
Rob McEwen
https://www.invaluement.com

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)


On 2/20/2018 11:45 AM, Rob McEwen wrote:
And we ALL have to constantly shift our tactics to deal with emerging 
realities like this one - or risk getting left behind by our 
competitors who do keep up.



ALSO - Likewise, it was very frustrating that I had to spend hours late 
last night making adjustments to my spam filter to be able to block more 
of these egregious spams that are often so difficult for a spam filter 
to block - particularly since extra careful measures are needed to keep 
such adjustments from blocking legitimate messages. (I've been trying to 
get to that for weeks, as this problem has been festering for some time 
- but I just recently recovered from the flu.)


So nobody should cry on my shoulder about the difficulty of ESPs doing 
such abuse monitoring/prevention. Any such person doing so is likely 
underestimating the current size and frustration that spam filtering 
admins are having with this problem!


--
Rob McEwen
https://www.invaluement.com

Junk mixed in with ham on whitelists

Over the years I have noticed junk/spam email coming from these servers 
so I created this rule:


header  ENA_RCVD_NOTRUSTReceived =~ 
/\.(secureserver\.net|web-hosting\.com|websitewelcome\.com|inmotionhosting\.com|unifiedlayer\.com|ezhostingserver\.com|siteprotect\.com|internetbilisim\.net|privateemail\.com|registrar-servers\.com|emailsrvr\.com|registeredsite\.com) 
\[/


Many of these servers are listed on whitelists.  My solution is to meta 
those whitelists to add back the points they subtract and then 
selectively whitelist_auth safe/good sending domains coming from these 
servers.


I would be interested to hear how others handle this situation where 
good and bad email egress from the same set of servers.


I am not sure how these servers get listed on whitelists but all I can 
do is report some of them to SpamCop and try to get them off. 
HOSTKARMA_WL is usually very accurate but they list some of the servers 
above.


--
David Jones

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)


On 2/20/2018 12:21 PM, Reindl Harald wrote:

we have well working outbound spamfilters


Excellent!

but just because someone has a google-shortener within a mail says 
*nothing at all* - frankly i even got a week ago a mail from my boss 
where the google-shortener was used for a only internal reachable 
server with a long list of params in the url
and hence the google-shortener don't say anything 



This is a very abused loophole that says MUCH in certain contexts. And 
I've carefully constructed these change at invaluement to be extremely 
unlikely to impact those who are using "goo .gl" for legitimate purposes 
and are not using it to cloak their domain in messages that are UBE or 
otherwise not desired by the recipients. But, in contrast, marketers 
and/or ESPs who start doing this routingly, as a purposeful regular 
practice, and who don't have some kind of real and specific purpose such 
as what that you described, are essentially giving DNSBLs and spam 
filters "the middle finger". So I'm giving it back. ANYTHING that 
facilitates anonymizing identity is VERY BAD for email. Facilitating 
anonymizing identity causes more spam to be delivered and punishes good 
senders when bad senders get away with that. Methods that facilitates 
anonymizing identity for email is not something that anyone should 
defend or celebrate - even if anonymizing identity wasn't the original 
intended purpose. I understand your very legitimate concern that this 
crackdown might lead to collateral damage. That is admirable. But 
acceptance of a new and pervasive situation in email that anonymizes 
identity is a HUGE step backwards... like going back to the mid 2000s, 
or something. So some "push back" measures are exceedingly warranted.


--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032

Re: Blacklist for reply-to?

The matter is controversial. Lists have own defaults, who often abuse their 
original aim of mere forwarding, especially when they redistribute from a 
long-term archive.  On the other hand, people have own default banners for all 
outgoing correspondence, some with explicit reference to the applicable law and 
company policy. Sparks happen when they meet. A list's standpoint may be: if 
you do not want to be archived, then do not post. A person's standpoint may be 
that a mailing list standing as official publication is ludicrous, while 
individuals have a well established human right to freedom of speach. There are 
so many twists here that only a seasoned lawyer may have tell right from wrong.

Sent from ProtonMail Mobile

On Tue, Feb 20, 2018 at 14:55, Reindl Harald  wrote:

> Am 20.02.2018 um 14:02 schrieb Rupert Gallagher: > Do you have the legal 
> right to do so? does the fool with the disclaimer have any legal right to 
> define whatever terms when sending to a public mailing-list? > On Tue, Feb 
> 20, 2018 at 00:23, @lbutlr  > wrote: >> On 2018-02-19 (09:57 MST), Paul Stead 
> wrote: > ... >>  I reject your terms @kreme.com> @kreme.com>

Re: Junk mixed in with ham on whitelists