Smith, actually. So far right that he went
around the dial and wanted to defund police.
Joseph Brennan
content to
> >> this particular user because it's so regular and so varied in terms of
> >> the types of requests, but all appear legitimate.
> >
> > We've see this too now and then. A few customers got 20k+.
> >
> > It's more in the nature of very annoying mischief, although it could be
> > a targeted attack.
> >
> > -kgd
> >
>
>
--
Joseph Brennan
Lead, Email and Systems Applications
Columbia University Information Technology
ading this thing.
--
Joseph Brennan
Lead, Email and Systems Applications
Columbia University Information Technology
weekend project. {rolleyes}
>
> One should do something useful with their life or family, I suggest ignoring
> this game of whackamole unless it takes few minutes. :-D It's pointless to
> try adding all combinations in _advance_, since all this is extremely simple
> to bypass with random typos and whitespaces and whatever chars..
>
--
Joseph Brennan
Lead, Email and Systems Applications
t; I receive several marking emails from chimpmail. I've tried adding the
> from email address to the blackfrom_list, but that does not block
> chimpmail. How can a person block these?
>
> Thank you.
>
> Daryl
>
>
>
--
Joseph Brennan
Lead, Email and Systems Applications
ge. There isn't much else there.
--
Joseph Brennan
Lead, Email and Systems Applications
e I was writing about.
--
Joseph Brennan
Lead, Email and Systems Applications
RS_LCASE strikes me as very different and much more
likely to be faked mail. I don't know of any freemail providers that write
header names in all lower case. A check against the corpus obviously needs
to back up my guess but I think I'm right.
--
Joseph Brennan
Lead, Email and Systems Applications
y
> there really are!
>
>
>
> --
> Joseph Brennan
> Lead, Email and Systems Applications
>
>
>
--
Joseph Brennan
Lead, Email and Systems Applications
Yes, replying to myself.
It just occurred to me that that we refuse mail from hosts in the Spamhaus
lists, so messages from those don't get analyzed by spamassassin. The
50,000 I mentioned is how many were NOT caught that way. I wonder how many
there really are!
--
Joseph Brennan
Lead,
On Thu, Jun 13, 2019 at 3:01 PM Antony Stone <
antony.st...@spamassassin.open.source.it> wrote:
> On Thursday 13 June 2019 at 17:45:02, Joseph Brennan wrote:
>
> > We've been refusing mail based on this stupid error for a year and a half
> > (local rule) and no fa
that the spammer does not send on Sundays. I agree that many of them
hit no other rule.
--
Joseph Brennan
Lead, Email and Systems Applications
://pastebin.com/p6xaWcA7
Joseph Brennan
Columbia U
have a good copy of the body yet, and do not know what rules it
already hits. If anyone else here got these maybe you can beat me to
getting a sample.
I'll send more later if I get more information.
--
Joseph Brennan
Lead, Email and Systems Applications
a lost art.
This might affect scoring of the MISSING_HEADERS rule eventually. (Despite
the name it seems to mean only a missing "To" header.)
--
Joseph Brennan
Lead, Email and Systems Applications
s-1256.
If this spam technique spreads I still think it would be worth some score.
A broader rule would look for an ISO encoding of the same Arabic no-space
character between non-Arabic characters.
Joseph Brennan
Columbia U I T
been done and I've missed it?
Joseph Brennan
Columbia U I T
On Mon, Nov 19, 2018 at 11:49 AM Mark London wrote:
> On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote:
> > I ran it as-is, and it scored poorly.
> > After I manually de-borked the heade
KHOP_DYNAMIC hits on hostnames like mx0b-00145802.pphosted.com. Proofpoint
addresses are always mail servers, not dynamic end-user lines.
--
Joseph Brennan
Lead, Email and Systems Applications
n; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
Yo=9Du wi=9Dll ha=9Dv=9De two diff=9Derent so=9Dluti=9Do=9Dns. Why dont w=
=9De check o=9Dut =9Dea=9Dch on=9De o=9Df thes=9De o=9Dpti=9Dons in deta=9D=
i=9Dls:
Joseph Brennan
Columbia U I T
Most commonly the Subject contains what should have
been the message body.
--
Joseph Brennan
Lead, Email and Systems Applications
23 we have seen
hosts in these blocks, below. Yesterday was 23.95.197 and 104.234.218.
Joseph Brennan
Columbia University I T
23.94.138
23.94.165
23.95.197
23.95.200
45.65.16
46.102.117
46.166.186
63.143.38
64.186.14
66.70.254
67.214.188
69.195.136
74.63.251
74.80.147
76.164.198
84.247.12
85.1
olating RFC 822.
He can say he is blocking because he wants mail to have a To header. He can
block because a subject line contains the letter Z if he wants to. That is
a different line of argument than calling an RFC violation.
-- Joseph Brennan
is To, then
To must contain an address.
In section 4.5.3 it states that Bcc contents are not included in copies
sent, which leaves a transmitted message with just Date and From, the state
which the plaintiff claims is not compliant.
-- Joseph Brennan
lance out
the PTR fail. I have not had a chance yet to test this out in real mail
flow to see how close it comes to being something good enough to reject
mail.
Joseph Brennan
Ted Mittelstaedt wrote:
I have noticed that spam tracks current events.
We've had a run of spam recently with a teaser subject that Megyn Kelly
might q uit Fox news. That's a little less than current!
Joseph Brennan
record with too many DNS lookups.
Are you willing to block that? That one amazes me since SPF is the simplest
of these ventures to implement correctly, and since the Times's frequent
mailings of news updates evidently are not affected enough by SPF fail for
the Times to go fix it.
Joseph Br
t as an attachment, and I think
the generic "octet-stream" is correct since there is no specific software
that must be used for a plain text file. (I'm actually surprised that there
is nothing like application/plaintext for this case, but I could not
identify such a type in a web
g its half a
billion servers, like ec2-54-225-189-51.compute-1.amazonaws.com for
54.225.189.51, since like end-user IPs they are interchangeable parts. I'd
be inclined to exclude them from RDNS_DYNAMIC.
Joseph Brennan / Columbia U
PS-- They do have nice matching PTR and A records.
m not silly enough
to say they are free of spam customers, but they are definitely servers.
Joseph Brennan / Columbia U
domain.
--
Joseph Brennan
Lead, Email and Systems Applications
at content.
It is interesting that Spamhaus does not list the sending IPs or the
web hosts. Maybe their secret honeypot addresses do not have enough
.edu presence.
(google: "honor society" scam)
--
Joseph Brennan
Columbia University
? It's easy:
From:us REJECT
From:ci.boston.ma.us OK
From:corunna.k12.mi.us OK
Or name the states:
From:us REJECT
From:ma.us OK
From:mi.us OK
Joseph Brennan
Columbia University
hings will diagnose future attempts.
--
Joseph Brennan
--On October 18, 2016 at 02:06:38 -0400 Ruga wrote:
>
> <does not belong to the author(s) of the message.>>
... unless you're applying DMARC, which says the "From:" should instead
"align" with something other than the author of the message in some cases.
--Joseph Brennan
kipping, in
"/tmp/.spamassassin17852Aeax7dtmp/72_active.cf": uridnsbl_skip_domain
accessbankplc.com
...
config: failed to parse line, skipping, in
"/tmp/.spamassassin17852Aeax7dtmp/72_active.cf": uridnsbl_skip_domain
zugerkb.ch
channel: lint check of update failed, channel failed
Joseph Brennan
Columbia University Information Technology
(like Intel) are both little-endian-- so it is
probably not the answer in this case.
This is a nice test I found:
echo -n I | od -to2 | awk '{ print substr($2,6,1); exit}'
1 little-endian
0 big-endian
Joseph Brennan
Columbia U
align"
with the mail system that sent the message?
Well, they also changed the SPF protocol so that -all should not be used.
Using ~all causes processing to continue through DKIM and DMARC, and then
the failure gets reported to the "ruf" address. Using -all is just for
SPF-only
e logged, so I
can't say whether the unusual X- headers continue.
Spamhaus knows most of the hosts they are sending from.
Joseph Brennan
Columbia University Information Technology
ent of the From header, so this spoofs effectively.
If you want to catch this, you'd want to score for the case where the From
header has your domain but the Sender header does not. BUT be careful. A
rule like that would hit on mail sent through mailing lists and some other
legitimate "send as" cases.
Joseph Brennan
Columbia University I T
ntil we notice.
Other than that I don't see the purpose to this change.
Joseph Brennan
Columbia University I T
clicks. Even if you don't use
Proofpoint to do this rewriting, you're going to see the result sometimes
in replies that include the original, and forwards. Ironically this is an
ANTI phishing technique.
I realize you're not interested but other people read this list :-)
Joseph B
this goal?
I can't think of anyway to do it without adding functionality to SA,
sorry.
Does this do it?
score AWL 0
meta LOCAL_SCORE_AWL AWL && !URIBL_DBL_SPAM
score LOCAL_SCORE_AWL-10
where -10 is whatever score AWL usually has (I forget)
Joseph Brennan
Columbia U I T
x27;t need
to go any further.
Joseph Brennan
Columbia University Information Technology
;'.
The image is a picture of text written in Chinese.
Joseph Brennan
Columbia University Information Technology
src="http://img04.taobaocdn.com/imgextra/i4/167488816/T2tRdHXgXM_!!167488816.gif";
type=image>
with html tags, e.g. orange.
Joseph Brennan
Columbia University Information Technology
tives. No META needed.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
fields and format, which are not
present there.
Including a plain part is desirable in many cases but not all.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
ikely comment before body begins is unique to spam, but... you
never know. It sounds like valid html so some web programmer might
find a reason to put it in mail output.
Now ... with garbage in it is interesting. That
would never be in real mail. Or so you'd think!
Joseph Brennan
C
body __SR1 /\s{0,2}\s{0,2}/
does not work since body rules strip html comments
with rawbody it ignore limits but hits on both
And don't score too high.
Example: Confirmations from Travelocity contain a 28 KB comment.
Joseph Brennan
Columbia University Information Technology
The maximum message size is 256 MB.
I've never seen spam larger than 3 MB.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
allow the mail.
The samples were from f...@fanboxnotes.com and nore...@fanboxnotes.com.
They look like the ones reported here, including the lower-case header
labels.
Joseph Brennan
Columbia University Information Technology
email as I am at at designing web pages :-)
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
ree, anyway). A link in part 1 opens the HTML attachment
in a new window, and that links you to the secure web page with the
secure message. But anyway, an HTML attachment is still odd enough to
rate a low score.
Joseph Brennan
Columbia University Information Technology
--On Friday, June 17, 2011 0:58 +0200 Benny Pedersen wrote:
make a info tdl rule with a score of 2.5,
Meta: From has .info AND uri has .info, score 2.0. We've done it for
years. Works fine. Maybe it could be 2.5.
Joseph Brennan
Columbia University Information Technology
score the
same as for any other message, if you can.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
t could be that a meta of multiple plus something else gets
a more accurate spam diagnosis, so I'm not saying it's useless, but
it is not as straightforward as it seems.
Joseph Brennan
Columbia University Information Technology
at we were willing to 550 based on a match.
I could see scoring for shorteners. So this is good news.
Joseph Brennan
Columbia University Information Technology
about checking for an
MX record for the sender address, not the host.
Joseph Brennan
Columbia University Information Technology
look out, they can also be hosts at
small organizations with overworked or newbie system admins. I would
not block outright for that. As David said, lots of fps await.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
feed?
I've asked twice with no results.
Consequently we haven't started using it. We'd be doing well over a
million lookups a day.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
m to be routine. We've
considered blocking for it, but we'd end up doing a lot of whitelisting
and interfering with mail that our users want.
It's worth scoring for, and RDNS_NONE already matches this case.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
David B Funk wrote:
Notice also that the rule checks the header From:, not the envelope,
and they could be different.
When did that change?
Sorry. I am wrong.
Joseph Brennan
Columbia University Information Technology
X-Envelope-From:
Received: from S253906HZ1EW06.usstls6-hosting.savvis.net (unknown
[209.16.192.170])
Is it because there is no reverse DNS entry?
Yes.
Notice also that the rule checks the header From:, not the envelope,
and they could be different.
Joseph Brennan
Columbia University Information Technology
ealth care messages can be identified
by these features:
Subject contains /Secure Message from / followed by the same address
as the From header.
The message body contains a MIME part named securedoc.html coded as
application/octet stream.
I cannot post a sample secure message.
Joseph Brennan
Colum
nd I think this matches it:
/document\.write\(unescape\(\"(\%..\%){10,}/
While unescape is a legitimate function, it's odd that a string would
start off with a lengthy series of escaped characters.
This seems to need a RAWBODY check to match. That's as far as I've
got.
Jose
from Yahoo. No DKIM, no Newman property. That's
a fake header.
The javascript is just an incredibly obfuscated way of putting in a
url. Base 64, javascript, two layers of redirect and... it's the
"Canadian" Pharmacy.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
--
Re: Joseph Brennan:
Why doesn't sendmail reject it like it does here? (..) .. Domain name
required for sender address
I cannot afford rejecting all null senders as those could be
legitimate Delivery Status Notification messages.
What I am looking is a pattern for line:
MAIL FROM:
ot; <>>, relay=adsl-pool-124.157.160-227.dynamic.tttmaxnet.com
[124.157.160.227] (may be forged), reject=553 5.5.4 <"vjaqrra scuper
acntive make your sskexxual" <>>... Domain name required for sender address
Joseph Brennan
Columbia University Information Technology
69.86.203.182 is still listed. Go to the URL. It does not tell you why
but suggests many possible reasons. I'd go for the last one :-)
Joseph Brennan
Columbia University Information Technology
an example of not recording the HTTP hop. That makes it harder
to distinguish spam from well-known problem Ip sources. In my opinion
the origin should be shown.
On the other hand, back to topic, Barracuda rejecting for mail originating
on a dialup line is just crazy. We've seen it too.
J
list. The name of the list (undisclosed
recipients) has no < > marks. The addresses in the list would be between
the colon and semicolon and each would be in < > marks.
The malformed is probably a good clue to tracking
down what software is involved. Most mail software would not wri
right that SA would
catch pretty much the same messages, we'd need significantly more
hardware to do it only with SA.
I realize this is separate from the question of whether SA should run
Spamhaus tests by default. I just want to make a point about Spamhaus.
Joseph Brennan
Columbia University Information Technology
ooked a good
reason to do this... no, I don't think so.
Why not blame the software that created the message?
Joseph Brennan
Columbia University Information Technology
match a lot of them:
Subject =~ /\%.*(special|lower|sale|off|on|today)/i
Subject =~ /(don.t miss|special|save|sale).*\%/i
Subject =~ /-\d+\%/
You probably can't give more than 1 or 2 points or you'll fp.
They keep changing too. The minus-percent just started recently.
Joseph Brenna
#x27;s almost
like a very old virus that got reactivated somehow. How many email
viruses do you even see these days?
Did antivirus provide a name for this thing?
Joseph Brennan
Columbia University Information Technology
ation. It's worthwhile giving them an error too,
so they'll know about it.
Joseph Brennan
Columbia University Information Technology
m our users.)
Joseph Brennan
Columbia University Information Technology
parsingÂ’ of Received headers, or
for other than checking IP addresses that hand off to your mailservers.
Joseph Brennan
Columbia University Information Technology
actly what you want to do.
Joseph Brennan
Columbia University Information Technology
Jason Bertoch wrote:
Every modern mail solution allows an account holder to pop/imap to
another account to pull in mail from somewhere else.
But this introduces a security hole, where the password to an account
on System A is stored on System B. Forwarding avoids that.
Joseph Brennan
might send mail where it creates a dummy personal name out of
the address, e.g.
From: 'u...@www.example.com'
While this is routine in To and Cc fields, I do not have a real
example of it in a From field, so I can't be sure it happens.
Joseph Brennan
Columbia University Information Technology
Report the abuse to Google and reject any mail from
@listserv.bounces.google.com
Trademark violation? http://www.lsoft.com/corporate/trademark.asp
I thought this was faked the first time I saw it.
Joseph Brennan
Columbia University Information Technology
Ned Slider wrote:
bodyLOCAL_BODY_CIALIS /\bcialis/i
That's probably what the rule is, and it will match 'spe/cialistes'.
Joseph Brennan
Columbia University Information Technology
.202 (yahoo) and
then %2E%63%6E for .cn
Joseph Brennan
Columbia University Information Technology
laska? I think that's the only place
in timezone -0800 this time of year.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Freelotto.com went on our local blocklist on October 31, 2001. No one
here has ever asked us about not getting mail from that domain.
Joseph Brennan
Columbia University Information Technology
par3.com.
Their current SPF record does not mention those, but it ends with ~all.
A lot of banks send via third party servers, or domains of former banks
they merged at some point. Many times sender and hostname do not match.
Joseph Brennan
Lead Email Systems Engineer
Columbia University
s would be extremely careful
about this stuff. Ha ha ha. They're not.
Joseph Brennan
Columbia University Information Technology
spam.
Joseph Brennan
Columbia University Information Technology
ger to stop the mail from going out. And
of course a sudden increase in volume from a user could also trigger.
Joseph Brennan
Columbia University Information Technology
and then ';' ends the list. The
undisclosed recipients:; notation, the only case commonly seen, is just
a list with no addresses in it. Also somewhat common is...
To: Members of the List Blablabla:;
... as written by Listserv.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
LEGIT EMAIL with this in it?
Microsoft products regularly have for no obvious reason.
However lower-case is unusual, but not unheard of.
Joseph Brennan
Columbia University Information Technology
the following:
/\bP\.?O\.?[:#]? [#]?/i
/P\.?O/
Expect it to match things besides purchase orders, but they will be
false negatives.
Joseph Brennan
e its own set of domains that it sees frequently (or that it
wants to whitelist permanently).
Joseph Brennan
Columbia University Information Technology
aculty and staff and the summer
overlap of graduated and admitted student accounts.
Requiring large organizations to use rsync and charging for it
makes a lot of sense. How much, though... and we didn't budget
this in when we estimated last spring, for the July-June fiscal
year schools use
Sahil Tandon <[EMAIL PROTECTED]> wrote:
We get some legitimate email from @live.com users.
But they don't set a Reply-to header. That's the test.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
o educate people. I'll try to comfort myself with that.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
artly local to us. Another useful local rule
is to check for the uri of your own webmail.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Reply-to: [EMAIL PROTECTED]
First pass:
header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
score LOCAL_REPLYTO_LIVE8.0
Maybe scoring 8.0 for one thing scares you, but I haven't seen this
fp in a couple of months.
Joseph Brennan
Columbia University Inform
1 - 100 of 170 matches
Mail list logo
