Re: New rule for HTML spam, using comments?

Amir 'CG' Caspi skrev den 2013-06-14 01:05: Lately, I've been getting hit with a LOT of this type of spam: http://pastebin.com/HD0rNdxU Not all of it is identical in format, but there seems to be one thing in common: they include lots of random garbage inside either CSS or in HTML comments.

Re: Massive spamruns

Alex skrev den 2013-06-14 00:42: I'm thinking this is sounding like a better option. The IPs change way too quickly for me to be able to keep up with updating a DNSBL. It's funny -- despite all MXs having the same weight, mail03 is really the one that's pounded with these pump-and-dump spams. M

Re: New rule for HTML spam, using comments?

types: non-parsing garbage in the CSS header, and an HTML comment at the >> end. >> >> I wonder, can a rule be created that basically looks for incredibly long >> HTML comments (like, multi-KB length comments), and/or looks in the CSS for >> long sequences of garbage?

Re: PayPal spam filter?

Jason Haar skrev den 2013-06-14 02:38: Yeah but notice "~all" is not "-all". ie they are saying that legitimate Paypal email comes from those specific sources - except when it doesn't if its pass then its paypal, if its softfail then we are unsure is what it means I don't understand why "

Re: New rule for HTML spam, using comments?

incredibly long HTML comments (like, multi-KB length comments), and/or looks in the CSS for long sequences of garbage? http://ruleqa.spamassassin.org/20130613-r1492572-n/STYLE_GIBBERISH/detail -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALah

Re: Massive spamruns

On Thu, 13 Jun 2013, Alex wrote: There's anecdotal reports that spammers focus on backup MX hosts in the hopes they are less-well-protected. You might also try changing the MX weighting and see if that causes the spam to concentrate on a specific MX host. That might give you a little more positi

Re: New rule for HTML spam, using comments?

Hi, >> After looking at it more closely, it's also only hitting bayes20 for >> you. Do the others also score so low? This hits bayes99 on my system. > > The ones that SA doesn't catch, yes, they are typically low. I have some > that are bayes50, some bayes20, some bayes00. Any that are bayes99 a

Re: PayPal spam filter?

On 14/06/13 07:08, Neil Schwartzman wrote: > Sure is. Also DMARCed and SPFed too. > > ;; QUESTION SECTION: > ;paypal.com .INTXT > > ;; ANSWER SECTION: > paypal.com .7INTXT"v=spf1 > include:pp._spf.paypal.com > include:3rdparty._spf.paypa

Re: New rule for HTML spam, using comments?

At 8:04 PM -0400 06/13/2013, Alex wrote: After looking at it more closely, it's also only hitting bayes20 for you. Do the others also score so low? This hits bayes99 on my system. The ones that SA doesn't catch, yes, they are typically low. I have some that are bayes50, some bayes20, some bay

Re: New rule for HTML spam, using comments?

Hi, On Thu, Jun 13, 2013 at 7:36 PM, Amir 'CG' Caspi wrote: > At 7:25 PM -0400 06/13/2013, Alex wrote: >> >> I think people will start by telling you to block the pw domain > > Sure, but not all of the comment-laden spam is from the pw domain. It comes > in from .net, .com, .us, and a bunch of ot

Re: New rule for HTML spam, using comments?

In an older episode, on 2013-06-14 01:36, Amir 'CG' Caspi wrote: (I am relatively new to SA's internal workings and don't know how to make such a rule, however.) For basics of writing SA rules, maybe look at http://wiki.apache.org/spamassassin/WritingRules Hope this helps, wolfgang

Re: Massive spamruns

Hi, On Wed, Jun 12, 2013 at 3:07 PM, Benny Pedersen wrote: > Ben Johnson skrev den 2013-06-12 18:26: > >> Isn't this the function that Bayes is intended to serve, rather precisely? > > sa-grey plugin might help, spammers change sender address and ips, so lets > track it, works well here, rbl is n

Re: New rule for HTML spam, using comments?

At 7:25 PM -0400 06/13/2013, Alex wrote: I think people will start by telling you to block the pw domain Sure, but not all of the comment-laden spam is from the pw domain. It comes in from .net, .com, .us, and a bunch of other places as well. This is just the one example I happened to pick "

Re: New rule for HTML spam, using comments?

Hi, > Lately, I've been getting hit with a LOT of this type of spam: > > http://pastebin.com/HD0rNdxU I think people will start by telling you to block the pw domain From: Hoveround More in this thread: http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-td104383.html R

Re: Large # of Spam getting through all of a sudden.

Hi, On Wed, Jun 12, 2013 at 12:05 PM, Kris Deugau wrote: > Alex wrote: >> It turned out to be a bit of local config, > > Care to share the specifics? I can't think of any SA configuration that > might trigger this, TBH. I had made some changes then ultimately overwrote it with the original, so

New rule for HTML spam, using comments?

Lately, I've been getting hit with a LOT of this type of spam: http://pastebin.com/HD0rNdxU Not all of it is identical in format, but there seems to be one thing in common: they include lots of random garbage inside either CSS or in HTML comments. All of this gets ignored by the HTML parser a

Re: Massive spamruns

Hi, On Thu, Jun 13, 2013 at 6:53 PM, John Hardin wrote: > On Thu, 13 Jun 2013, Alex wrote: >> I'm thinking this is sounding like a better option. The IPs change way >> too quickly for me to be able to keep up with updating a DNSBL. It's >> funny -- despite all MXs having the same weight, mail03 i

Re: Massive spamruns

On Thu, 13 Jun 2013, Alex wrote: John Hardin wrote: As was suggested earlier: greylisting? I'm thinking this is sounding like a better option. The IPs change way too quickly for me to be able to keep up with updating a DNSBL. It's funny -- despite all MXs having the same weight, mail03 is rea

Re: Massive spamruns

Hi, On Wed, Jun 12, 2013 at 2:54 PM, Daniel McDonald wrote: > On 6/12/13 1:25 PM, "Alex" wrote: > >> John Hardin wrote: >>> As was suggested earlier: greylisting? >> >> I really don't think my users would tolerate the delay, so I've never >> implemented it. They would have vendors calling them o

Re: PayPal spam filter?

On Jun 12, 2013, at 3:37 PM, Daniel McDonald wrote: > I believe Paypal is DKIM signed, Sure is. Also DMARCed and SPFed too. ;; QUESTION SECTION: ;paypal.com.IN TXT ;; ANSWER SECTION: paypal.com. 7 IN TXT "v=spf1 include:pp._spf.paypal.co

Re: sa-update: MIRRORED.BY is 404 for any channel

--On Wednesday, June 12, 2013 10:12 PM -0600 Mike Brown wrote: Martin wrote: Do you have a MIRRORED.BY file in you spamassassin update directory? It looks like it doesn't have the file with the mirrors in and instead is using the file name. If so you could copy it over from your other box t

Re: Massive spamruns

Neil, I'm sorry but I can't disclose the logs. fortunately 95% of them were blocked by blacklisting or greylisting. I just wanted to know if other people see a massive increase of spam the last weeks. On Wed, Jun 12, 2013 at 9:31 PM, Benny Pedersen wrote: > Alex skrev den 2013-06-12 20:25: > >

Re: PayPal spam filter?

On Wed, 12 Jun 2013 15:26:29 -0500 (CDT) David B Funk wrote: > However this will not hit all the "human engineered" varients which > try to fool people into thinking that they're PayPal (EG: PayPaI) > or which have "PayPal" in the comment field part of the address/URL > but have a completely diff