/updated. But whatever the cause, this is STILL a
reality that's worth noting, for anyone who is rescanning messages
later.
Rob McEwen, invaluement
-- Original Message --
From "Benny Pedersen"
To users@spamassassin.apache.org
Date 2/26/2023 1:37:53 PM
Subject Re: replay R
positives. But doing this "one hour later"
shouldn't have this problem.
Rob McEwen, invaluement
e
message was originally sent - is what's now causing this chain reaction.
It's highly doubtful that this rule would have hit at the time the
message was received.
--Rob McEwen, invaluement
-- Original Message --
From "Rob McEwen"
To users@spamassassin.apache.org
Date
send a MASSIVE amount of legit and transactional emails,
including from this actual same IP. For example, in the past 24 hours,
my small-ish mail hosting system has 6 legit not-spam PayPal
notifications sent from this SAME ip address - all 6 of those were
legit.
Rob McEwen, invaluement
-- Origin
as a fraud.
(PayPal should have done better customer vetting on the front end!)
Rob McEwen, invaluement
-- Original Message --
From "hg user"
To "Rob McEwen"
Cc users@spamassassin.apache.org
Date 2/21/2023 3:10:35 PM
Subject Re: May I get to 0 phishing?
I think th
an be made
for minimizing the number of phish that get into the inbox. It's a
constant battle!
Rob McEwen, invaluement
-- Original Message --
From "Bill Cole"
To users@spamassassin.apache.org
Date 2/21/2023 2:11:02 PM
Subject Re: May I get to 0 phishing?
On 2023-02-21 at 13:51:
t a forged domain.
I hope this helps!
Rob McEwen, invaluement
since stopped using that particular domain name?
--Rob McEwen
On 8/2/2022 10:50 AM, Bill Cole wrote:
Bug 8021 reports breakage in SPF checking for dhl.com mail, due to an
inability to resolve the SPF TXT record for dhl.com. That breakage is
essentially due to DHL having far too many TXT records
ion of this, if desired - along with any suggested improvements)
-- Rob McEwen, invaluement
luement's URI/domain bl sometime this week, when I get some more
time. (I'm in the middle of some intense upgrades, so I barely had time
to type this message.)
-- Rob McEwen, invaluement
with an
extremely close geolocation. Queries then tend to get answered in a very
low number of milliseconds - often <10ms.
-- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
that overly judging a DNSBL based on
/*particular*/ false negatives can be overly harsh and might miss the
good things that a DNSBL has to offer)
-- Rob McEwen, invaluement +1 (478) 475-9032
ection. If someone comes along and
corrects my possible mistakes, or provides BETTER info - that is
excellent - in the meantime, hopefully this will point you in the right
direction, or give you some ideas.
-- Rob McEwen, invaluement
ce and understanding.
--
Rob McEwen
https://www.invaluement.com
that
are blocked by spam filters and/or listed on anti-spam lists - were
already CAN-SPAM compliant. Being *legal* is a very low bar for email,
especially in the U.S.
--
Rob McEwen, invaluement
is justified by THEIR "greater good".
Thankfully, it isn't my job to determine who is justified and, instead,
I believe that NONE of them are justified in sending spam - spam is
about *consent* - NOT *content*.
--
Rob McEwen, invaluement
ns without
having the raw underlying text of the message (w/headers). But please
try to avoid pasting that directly to this list. Thanks!
Rob McEwen
On 11/8/2020 5:00 PM, Daryl Rose wrote:
I'm getting obvious phishing attempts. This one was made to look like
it was from Wells Fargo with an obvio
for the feedback - and feel free to continue this conversation
off-list since the SA list isn't suppose to be the invaluement support
list. (or, email me at any time about such things - r...@invaluement.com)
- Thanks!
Rob McEwen, invaluement.com
On 10/13/2020 12:56 PM, micah anderson wrote:
Hi all
being first received - to that data getting into the list -
has improved from about 1/2 a minute, to just a few seconds!
-- Rob McEwen invaluement.com
On 8/25/2020 11:04 PM, John Hardin wrote:
I just wrote something similar to generate a rule, in case for some
reason you don't want to use a plugin. Let me know if there's any
interest in it.
yes - please share!
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
t of files for Postfix that are pre-formatted
this way already?
Thanks!
Rob McEwen, invaluement.com
On 8/25/2020 2:26 PM, John Capo wrote:
On 2020-08-25 11:42, Matus UHLAR - fantomas wrote:
well, do we have anything available now to block at SMTP level?
- postfix policy server?
- milter?
so
But ClamAv rules may still be a good way
to get this implemented for many.
Someone else mentioned one that was completely off of our radar - but
we're about to double the coverage of these in terms of mailboxes and
traps used for this purpose - so that will help further minimize our
"blind s
On 8/25/2020 1:20 PM, Rob McEwen wrote:
but I can do everything, at least not all at once
*can't do
--
Rob McEwen
https://www.invaluement.com
able usage of this
will be left behind.
PRO TIP: Instead of complaining about this problem on this thread - why
not go to the discussion list or forum of your preferred MTA - and ask
them to implement it?
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
-a-mole game.
Don't get me wrong - Pyzor and other such checksum content filters - are
wonderful and have their place - but thinking that they remove the need
for this Sendgrid list - is absolutely not even close to true.
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
ing targeted - first with the absolute worst
- and then progressing to other offenders as we make adjustments in the
coming weeks.
-- Rob McEwen https://www.invaluement.com
fwiw - this has been blacklisted at invaluement for days.
--Rob McEwen, invaluement.com
On 11/6/2019 2:33 PM, Mark London wrote:
Hi - We got several hours of spam from the IP address 103.136.41.36 in
India. When I did a Multi-RBL check, the ip address was in the
following databases
announcement about invaluement (or more like a tease?)
https://www.linkedin.com/feed/update/urn:li:activity:6571558988201148416/
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
for the long term.
--
Rob McEwen
https://www.invaluement.com
will be aware and know what to
look for when testing this.
--
Rob McEwen
Another thing that helps - is to lighten the load on your SA by putting
high quality low-FP DNSBLs in front of SA, that are first called by your
MTA, where spams blocked by those aren't even scanned by SA.
--Rob McEwen
On 11/5/2018 2:48 PM, Andreas Thienemann wrote:
Hi,
I've got
D || __SYMPATICO_MSGID)
I really don't think I've done anything unusual with my setup of
Thunderbird. Does anyone have other suggestions? Is there anything I can
do with my Thunderbird settings to mitigate this?
Thanks!
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Bill,
Even though this part wasn't the main purpose of the thread, that is still very
helpful information. I will pass that along to my client so that they can
hopefully fix their configuration problem with regards to their usage of URIBL.
Thanks!
Rob McEwen
Sent from my Verizon Motorola
bird "sent" folder:
References: <55521fa7.8080...@invaluement.com>
<7c8ad385-8b3d-74d9-7d34-ca2ca9236...@invaluement.com>
<1b8ad5ec-18b7-90db-5cad-d86ffa5aa...@invaluement.com> Message-ID:
<39397904-9830-5010-a3d2-a62af8326...@invaluement.co
my message that was
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that
only scored 0.001, so that was innocuous. I suspect that that rule is
malfunctioning on their end, and then they changed the score to .001 -
so just please ignore that for the purpose of this discuss
promises that lead to more false
negatives. ivmSED has just recently entering beta testing. (SED =
"Sender's Envelope Domain").
--
Rob McEwen
https://www.invaluement.com
is causing your problem?
--
Rob McEwen
https://www.invaluement.com
On 6/20/2018 1:30 PM, Bill Cole wrote:
http://www.openwall.com/lists/oss-security/2018/06/19/3
SpamAssassin does not use Email::Address.
Thanks, Bill, for clarifying that. I've been concerned about this for
hours - but too busy today research it myself.
--
Rob McEwen
On 4/3/2018 1:18 PM, Axb wrote:
AppRiver Acquires Roaring Penguin
https://globenewswire.com/news-release/2018/03/26/1453063/0/en/AppRiver-Acquires-Roaring-Penguin.html
Excellent! Dianne, I hope you benefited greatly in this acquisition!
--
Rob McEwen
https://www.invaluement.com
break if the spammer just mixes up the
capitalization of the shortner URL up until the code at the end of the
shortner.
--
Rob McEwen
https://www.invaluement.com
that was just "one straw
that broke the camel's back"? Either way, I'm happy that this seems to
be getting fixed, or they are at least headed in the right direction.
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
score high on ClamAv, that MIGHT present a problem. On
the other hand, maybe Sanesecurity is just being overly cautious (or
considering more theoretical FNs?), and such actual FPs in real world
mail flow are actually extremely rare?
Any Thoughts? Anyone know?
--
Rob McEwen
https://www.invaluement.com
this in another non-SA part of my anti-spam system, but
the rule might help others here. There are also other attributes that
could become an SA rule that would cause a hit even if the Thread-Index
changed, but that will require a little bit more effort.
--
Rob McEwen
https://www.invaluement.com
this should help me (and others) much... and it is good to
know that there is a proper way to do this at a higher volume that meets
Google's approval.
--
Rob McEwen
https://www.invaluement.com
On 2/20/2018 9:42 PM, Rob McEwen wrote:
Google might easily start putting captchas in the way or otherwise
consider such lookups to be abusive and/or mistake them for malicious
bots...
This prediction turned out to be 100% true. Even though others have
mentioned that they have been able
redirectors (shorteners), not each http->https shortener and only
evaluates redirection between them, ignoring http->https redirects
On 10.03.18 11:32, Rob McEwen wrote:
But also keep in mind that it is NOT rare for the initial shortner
found in a spam... to redirect to a spammer's page (that
f them against
URI/domain blacklists. (within reason... after too many redirects, it is
better to just stop and add points to the spam score)
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
version. Therefore, if the code
for this plugin (and others using this tactic) doesn't do this
already... it should probably not count THAT particular redirect as a
spam indicator, when counting the total number of redirects.
--
Rob McEwen
https://www.invaluement.com
against
blacklists. OFTEN - every single domain in that chain (past the initial
URL shortner) is a compromised web site or spammer's website, not just
the final destination web site.
--
Rob McEwen
https://www.invaluement.com
missed it?
If I'm not confusing things, someone answered things earlier in this
thread, as follows:
On 2/21/2018 11:27 AM, Alex wrote:
This is what DecodeShortURLs is for
https://github.com/smfreegard/DecodeShortURLs
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
by mail systems of a process where, in
real time spam filtering, they check to see where URL shortners lead to,
and then factor that destination into the spam filtering.
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
ing IP,
such as blocking all Zen-listed spams before DATA while another
system might capture ALL messages and process them all. The latter is
what my system does. That also might explain the difference in stats?
--
Rob McEwen
https://www.invaluement.com
-
doesn't alter my original point. The vast majority of anti-spam systems
in the real world (1) don't (2) and won't any time soon. That is what I
claimed. Please stop nitpicking and please stop arguing with a "straw man".
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
server
getting blocked or captcha'd.
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
and software overnight... that could
even take years,
It's been part of our practice for about a year now.
Excellent! I wish others would be as innovative and on top of things as
you are! Unfortunately, your statement doesn't alter my point you were
replying to, even one tiny bit.
--
Rob McEwen
and
automated lookups. That is a HUGE difference.
--
Rob McEwen
https://www.invaluement.com
ble future.
So please don't think for a second that this somehow makes the plans I
had described as unnecessary.
--
Rob McEwen
https://www.invaluement.com
e. I've
addressed that numerous times and in numerous ways, in numerous posts.
This is getting tiresome.
--
Rob McEwen
https://www.invaluement.com
On 2/20/2018 6:05 PM, @lbutlr wrote:
On 2018-02-20 (08:30 MST), Rob McEwen <r...@invaluement.com> wrote:
Spammers are starting to use this to evade spam filters,
This is not news. Spammers have been using shortness since 3 seconds after
tinyurl.com launched.
My "this" wa
crackdown might lead to collateral damage. That is admirable. But
acceptance of a new and pervasive situation in email that anonymizes
identity is a HUGE step backwards... like going back to the mid 2000s,
or something. So some "push back" measures are exceedingly warranted.
--
Rob McEwen
On 2/20/2018 11:45 AM, Rob McEwen wrote:
And we ALL have to constantly shift our tactics to deal with emerging
realities like this one - or risk getting left behind by our
competitors who do keep up.
ALSO - Likewise, it was very frustrating that I had to spend hours late
last night making
arned low-FP reputation. But this
COULD cause problems for some already dark-gray-hat ESPs who let this
practice run rampant.
--
Rob McEwen
https://www.invaluement.com
domain/URI
blacklist. This might not cause other such messages to get blocked, but
it will have other negative repercussions for other uses of that domain.
--
Rob McEwen
https://www.invaluement.com
with this. Also, it is very high quality and
well-run! It should at least make a noticeable improvement, even if it
doesn't catch all of them.)
--
Rob McEwen
https://www.invaluement.com
f the more malicious links arrive at a page that
tries to install a virus), add ".info" to the end of the google shortner
URL and you can then see more info about the shortner, including its
intended destination. For example, for this one:
https://goo.gl/s7XxhD.info
ivate message off-list if that interests you!
(I would do this myself, but Perl "looks like Greek" to me!)
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7477
--
Rob McEwen
https://www.invaluement.com
This seems to be catching most of them:
Subject: Invoice [A-Z]{2,3}\d{7}\b
...but it might need to be combined with other things to ensure no false
positives, since there would be a rare legit message that would hit on this?
--Rob McEwen
On 11/8/2017 10:45 AM, Dianne Skoll wrote:
Hi,
Heads
a purchased list or something bad like that.
Rob McEwen
invaluement.com
On 10/4/2017 11:23 AM, Alex wrote:
Hi, we have a user complaining about receiving email from a solar
panel company and want us to block it. The problem is that it
originates from mailchimp, which is whitelisted.
It's my belief
focus on the stuff that isn't found
on any (or very many) of the 4 major URI lists I mentioned, so as to
keep the data small and focused, for maximum processing efficiency.
--
Rob McEwen
http://www.invaluement.com
it back in.
So I'm grateful every time I see thread like this that pushes back
against that, and encourages others to run industry standard
non-forwarding caching DNS servers.
THANKS!
--
Rob McEwen
http://www.invaluement.com
quot;extra curricular activity"? or did I misunderstand RAZOR's
checksum technique?
--
Rob McEwen
(not just
volume-wise - but percentage-wise... I'd be run out of town if I did that)
--
Rob McEwen
for you to probably feel comfortable outright
blocking (or scoring at/above threshold). You might find ~3-5 such
lists, including zen.spamhaus.org in that elite group.
--
Rob McEwen
n/requirements that may be a little different than your
particular situation/requirements.
--
Rob McEwen
On 1/30/2017 8:54 AM, Matus UHLAR - fantomas wrote:
they do and it has been mentioned:
https://help.yahoo.com/kb/SLN23997.html
I wasn't aware of this page. If it was mentioned before in this thread,
I missed it. Thanks!
--
Rob McEwen
d EFFICIENTLY update/prune that
part of my whitelist.
And I strongly suspect that iterating though the millions of IPs to
check FCrDNS would take a very, very long time - and might get such
probing IPs blacklisted for abuse/intrusion-protection?
--
Rob McEwen
s very odd...
--
Rob McEwen
)
--
Rob McEwen
http://www.invaluement.com
+1 (478) 475-9032
by
itself" ... but that only applies to sending-IP blacklists, set up with
ip4tset and ip4set in rbldnsd.
As shown, dnset operates differently for IP addresses found in URIBL
blacklists.
----------
This was a trip down memory lane for me.
--
Rob McEwen
invaluement
l.blogspot.com
would ALL return listing, but
blogspot.com
...wouldn't.
So it also takes some work determining those boundaries. Some of those
are simple domains... while others like blogspot.com or wordpress.com,
are more "artificial" (but still critically important).
--
Rob McEwen
invaluement.com
gh they've never gotten a single "hit" from
their mis-configuration, and then they'll have a very bad day when that
time comes.
But, again, thanks for the mention! Perhaps, next time just say
"invaluement".
--
Rob McEwen
invaluement.com
.
It was designed from the ground up only to serve as a dumbed down
locally hosted DNS, only for serving DNSBLs where the data files are
found locally. It makes up for the lack of more extensive DNS features
with blazing speed and very low memory overhead.
--
Rob McEwen
for scoring against .docm
files attachments? Perhaps someone else could help you with that.
--
Rob McEwen
to reward blacklists that are more accurate, but
without penalizing them for not being a redundant copy of Zen. It isn't
as easy as it sounds in a ratings system. (even if real life usage of
such by a hoster or ISP can quickly lead to fewer complains from
customers about about FP and FNs)
--
Rob McEwen
nt
misses.
Therefore, as I said, SIP and SIP24 (combined) are intended to be a
supplement to Zen, not a replacement of Zen.
(just want to make sure this is clear!)
--
Rob McEwen
http://www.invaluement.com
al message, then
this particular example was probably a rare malfunctioned spam that will
be of no benefit to the spammer, and would then probably not be worth
investigating since the spammer then has no incentive to keep sending
these types.
--
Rob McEwen
uld easily
be abused in the future for nefarious purposes, such as suppressing
criticism of the current party in power, etc.
This could be a "slippery slope".
--
Rob McEwen
+1 478-475-9032
about a few extra FPs)
--
Rob McEwen
+1 478-475-9032
whitelisted either. That is
a big difference... therefore, most of the time that a virus-sent spam
is sent from an IP in DNSWL, it is from an IP that is marked by DNSWL as
a mixed source.
--
Rob McEwen
http://www.invaluement.com/
+1 478-475-9032
damage, not the DNSBL.
I hope this provides some clarity.
--
Rob McEwen
+1 478-475-9032
know
(off-list) and I'll research it. I can then make adjustments
accordingly. I'm very responsive to customer feedback.
Thanks!
--
Rob McEwen
+1 478-475-9032
that... thanks, David, (and others) for your mentioning
about your success with ivmSIP and ivmSIP/24, where they are helping you
block much of the spam that slips past Spamhaus, etc.
--
Rob McEwen
to be true)... then use this info as a rebuttal the next time
you have a client talk about leaving you for gmail.
--
Rob McEwen
+1 (478) 475-9032
extremely low-FP URI blacklists.
--
Rob McEwen
+1 (478) 475-9032
with other
rules could be very helpful.
--
Rob McEwen
+1 (478) 475-9032
enough... combined with many sys admins failing
to make use of ALL the good and low-FP URI/domain blacklists... where
they 'd see MUCH better results if they were using ALL of the good URI
blacklists! ...but I'm a little biased on this point! :)
--
Rob McEwen
+1 (478) 475-9032
On 2/6/2014 6:59 PM, Noel Butler wrote:
spams an anti-spam list
so sharing/discussing data/intel about spammers on an anti-spam list...
is spamming? Really?
--
Rob McEwen
invaluement.com
convention be followed, even if just
for etiquette?
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
the domains on multirbl.valli.org ...and
you'll see in real time what I'm talking about!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
but think that SOME reading this thread haven't even
tried/implemented even all the zero-cost options for the (already
matured) lists I mentioned (where applicable)?
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
1 - 100 of 361 matches
Mail list logo
