They are very different tools.
One uses an SMTP RFC repeat clause to understand whether the attacker is using
a real server, slowing burst connections and eventually adding the IP to the
firewall. This is limited to port 25, and it does not work against ddos
attacks, because pf is not that
On 12 Feb 2019, at 15:04, Rupert Gallagher wrote:
Ehhh not available on bsd with pf, or so it was the last time I
checked.
A good 'tarpit' tool that IS available for *BSD (originating on OpenBSD)
is 'spamd' which unfortunately shares a name with the daemon aspect of
SA. There's a port
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
Ehhh not available on bsd with pf, or so it was the last time I checked.
Bummer.
Good for you as you have it! It is a fantastic piece of aikido.
On Tue, Feb 12, 2019 at 18:19, John Hardin wrote:
On Tue, 12 Feb 2019, Rupert Gallagher
On Tue, Feb 12, 2019 at 18:34, RW wrote:
> On Tue, 12 Feb 2019 16:49:27 +
> Rupert Gallagher wrote:
>
> Before the change, the
>> service stated that the IP fell into their spamtrap, whatever that
>> is.
>
> Seriously?
>
>> The fact remains that we have never sent mail to the gremlin,
>
>
Ehhh not available on bsd with pf, or so it was the last time I checked.
Good for you as you have it! It is a fantastic piece of aikido.
On Tue, Feb 12, 2019 at 18:19, John Hardin wrote:
> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>
>> and we have now blocked their IP at the firewall,
>
I like it!
On Tue, Feb 12, 2019 at 18:15, John Hardin wrote:
> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>
>> Let see if the mail arrives with the correct escaping this time.
>>
>> body __HAS_URI /(http|https):///
>> tflags __HAS_URI multiple
>> meta TMU ( _HAS_URI > 10 )
>> describe TMU Too
Ah, ok...
On Tue, Feb 12, 2019 at 18:04, RW wrote:
> On Tue, 12 Feb 2019 16:38:47 +
> Rupert Gallagher wrote:
>
>> Let see if the mail arrives with the correct escaping this time.
>>
>> body __HAS_URI /(http|https):///
>> tflags __HAS_URI multiple
>> meta TMU ( _HAS_URI > 10 )
>> describe
On Tue, 12 Feb 2019 16:49:27 +
Rupert Gallagher wrote:
Before the change, the
> service stated that the IP fell into their spamtrap, whatever that
> is.
Seriously?
> The fact remains that we have never sent mail to the gremlin,
How can you possibly know that you haven't sent anything to
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
and we have now blocked their IP at the firewall,
A suggestion: it may hurt them more if you TCP tarpit them instead of just
blocking them. That's what I do.
Perhaps a little stale, and overkill for manual punishment, but it
documents the
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
Let see if the mail arrives with the correct escaping this time.
body __HAS_URI /(http|https):\/\//
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
How about:
uri __HAS_URI /^http/i
On Tue, 12 Feb 2019 16:38:47 +
Rupert Gallagher wrote:
> Let see if the mail arrives with the correct escaping this time.
>
> body __HAS_URI /(http|https):\/\//
> tflags __HAS_URI multiple
> meta TMU ( _HAS_URI > 10 )
> describe TMU Too many URIs (>10)
> score TMU 5.0
>
> Those who fill
Note that the "too many uris" thing has nothing to do with the Russian gremlin
who, in the meantime, has disabled the part of the rbl that explains why the IP
was listed. Before the change, the service stated that the IP fell into their
spamtrap, whatever that is. The fact remains that we have
Let see if the mail arrives with the correct escaping this time.
body __HAS_URI /(http|https):\/\//
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
As rightly noted, the same link is counted twice, for text and html bodies when
they are
On Tue, 12 Feb 2019 09:44:02 +
MAYER Hans wrote:
> “full” statement should be: full __HAS_URI /(http|https):\/\//
This is still a poor rule, "full" is actually the worst type to use.
Both full and rawbody can find a lot more links than are relevant. It's
already been mentioned that
biz/?beiqv
<http://beiqv.biz/?beiqv> beiqv
I learned a lot. Your reply was very helpful.
Kind regards
Hans
From: Rupert Gallagher
Sent: Thursday, February 7, 2019 7:37 PM
To: MAYER Hans ; SA
Subject: Re: RE: New type of SPAM aggression
full __HAS_URI /(http|https):///
tflags __HAS_
On Thu, 7 Feb 2019, Rupert Gallagher wrote:
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
Beaware, if the mail has properly-formed HTML and plain-text alternate
versions, that will double-count every
Rupert Gallagher skrev den 2019-02-07 19:37:
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
mixed http and https, real spam
browsers would not like it
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
On Thu, Feb 7, 2019 at 09:12, MAYER Hans wrote:
>
>
>> … All emails were spam with links. …
>
> We receive such spam mails with a lot of links too.
>
> Is there
> … All emails were spam with links. …
We receive such spam mails with a lot of links too.
Is there a rule which detects a certain amount of links inside an e-mail ?
// Hans
--
From: Rupert Gallagher
Sent: Wednesday, February 6, 2019 12:55 PM
To: SA
Subject: New type of SPAM aggression
On Wed, Feb 6, 2019 at 15:42, RW wrote:
> On Wed, 06 Feb 2019 11:55:07 +
> Rupert Gallagher wrote:
>
>> This is to inform about a new type of SPAM aggression.
>>
>> We received from Russia, for months, and redirected them
>> automatically to an administrative address for manual inspection.
Search engines on DNSBLs:
multiRBL.valli.org
www.rbls.org
On Wed, Feb 6, 2019 at 15:19, Tom Hendrikx wrote:
> Hi,
>
> Anyone can start a DNSBL and list IP space of people they don't like, as
> you surely know. As long as no one uses such a DNSBL to block traffic,
> no harm is done.
>
> The
Not the first time I’ve heard of gremlin.ru – found this from a mirror of their
FAQ:
---8<---
A: Surely, you have received a bounce message similar to this:
550 Rejected: 192.168.62.14 is listed at work.drbl.example.net
This is well enough to investigate, who (and ever why) had listed your host.
On Wed, 06 Feb 2019 11:55:07 +
Rupert Gallagher wrote:
> This is to inform about a new type of SPAM aggression.
>
> We received from Russia, for months, and redirected them
> automatically to an administrative address for manual inspection. All
> emails were spam with links. From the
Hi,
Anyone can start a DNSBL and list IP space of people they don't like, as
you surely know. As long as no one uses such a DNSBL to block traffic,
no harm is done.
The interesting part is which "engines" (I guess that you mean antispam
software or antispam saas providers) think that such a
The spammers at gremlin.ru have just created a homepage, with no information on
how to delist an IP.
Their fake dnsbl is listed as genuine in at least two antispam engines.
On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher wrote:
> This is to inform about a new type of SPAM aggression.
>
> We
25 matches
Mail list logo