On Wed, 2012-06-13 at 03:04 +0200, Wolfgang Zeikat wrote:
> On 2012-06-12 20:52, Martin Gregorie wrote:
>
> > so its probably worth treating .gg
> > the same way as .cn and .ru, though for slightly different reasons.
>
> Unless you're in .cn, .ru or vicinity or have correspondence partners
> t
On 2012-06-12 20:52, Martin Gregorie wrote:
> so its probably worth treating .gg
> the same way as .cn and .ru, though for slightly different reasons.
Unless you're in .cn, .ru or vicinity or have correspondence partners
there, you may be right.
wolfgang
On Tue, 2012-06-12 at 18:47 +0100, Stephane Chazelas wrote:
> 2012-06-12 16:36:44 +0100, Martin Gregorie:
> > Today I got a piece of spam carrying the URL chasovik.it.gg as its
> > payload. I was intrigued because I didn't think .gg was a valid tld and
> > looked it up with 'whois'. Sure enough, no
2012-06-12 16:36:44 +0100, Martin Gregorie:
> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I didn't think .gg was a valid tld and
> looked it up with 'whois'. Sure enough, no match was found. However,
> 'host' resolved it as 80.190.202.40 and
On Tue, 2012-06-12 at 17:24 +0100, s...@yacc.co.uk wrote:
> .gg is Guernsey ... it's definitely there ... I can see it out the
> window :)
>
Thanks for that clarification. I wasn't as clear as I could have been.
The URL in the spam body was unknown to 'whois' but was resolved by
'host'. I've previ
> From: Martin Gregorie [mailto:mar...@gregorie.org]
> Sent: 12 June 2012 16:37
> To: Spamassassin users list
> Subject: Is this a new typoe of URI obfuscation?
>
> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I d
On 6/12/12 11:36 AM, Martin Gregorie wrote:
Today I got a piece of spam carrying the URL chasovik.it.gg as its
payload. I was intrigued because I didn't think .gg was a valid tld and
looked it up with 'whois'.
that just means that the tld provider is violating RFC's, no that the
tld is invalid:
On Tue, 12 Jun 2012 16:36:44 +0100
Martin Gregorie wrote:
> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I didn't think .gg was a valid tld
> and looked it up with 'whois'. Sure enough, no match was found.
.gg is a valid TLD: http://en.wik
Today I got a piece of spam carrying the URL chasovik.it.gg as its
payload. I was intrigued because I didn't think .gg was a valid tld and
looked it up with 'whois'. Sure enough, no match was found. However,
'host' resolved it as 80.190.202.40 and a 'host' lookup on the IP
resolved to homepage-bauk
On Sunday 23 March 2008 14:10:18 The Doctor wrote:
> Where should this be added?
to your custom rules.
i suggest editing local.cf and adding the following line:
include /etc/spamassassin/myrules
then make that directory and put your custom rules in it (one file is one
rule)
you can also put all ru
On Sat, Mar 22, 2008 at 09:26:39PM -0400, Joseph Brennan wrote:
>
>> thats a dynamic ip from telecomitalia. i'm getting lots of spam from
>> there but the ips are in no dynamic list. is there a more complete list
>> of dynamic hosts?
>
> We are currently doing this:
>
>
> # Telecomitalia. ISP wi
On Sunday 23 March 2008 02:26:39 Joseph Brennan wrote:
> > thats a dynamic ip from telecomitalia. i'm getting lots of spam from
> > there but the ips are in no dynamic list. is there a more complete list
> > of dynamic hosts?
>
> We are currently doing this:
http://sarah.ibcsolutions.de/~aep/sa/7
On Saturday 22 March 2008 21:31:13 Karsten Bräckelmann wrote:
> On Sat, 2008-03-22 at 19:31 +0100, Arvid Ephraim Picciani wrote:
> > > http://rafb.net/p/S95P6c12.html
>
> Yes, this is a spam alright. The Message-Id alone tells so. See my rule
> KB_RATWARE_MSGID in bug 5830 [1].
> [1] https://issues
thats a dynamic ip from telecomitalia. i'm getting lots of spam from
there but the ips are in no dynamic list. is there a more complete list
of dynamic hosts?
We are currently doing this:
# Telecomitalia. ISP with a big spam problem
# A rare exception found had a .it tld sender, so let's
mouss wrote:
Arvid Ephraim Picciani wrote:
On Saturday 22 March 2008 19:52:46 SM wrote:
He was referring to the URL that is wrapped into two lines with the
quoted-printable encoding. It is parsed correctly.
so thats no error or invalid markup? ok well in this case... sorry
for the fals
> you need to show the raw body. http://ec=xz... is invalid and results
> in an error when I click on. even with quoted printable, it is still
> invalid because '=' must be followed by hex characters (0-9a-fA-F).
Dude, see the OP. :) He did provide the full, raw message.
This very snippet is
On Sat, 2008-03-22 at 19:31 +0100, Arvid Ephraim Picciani wrote:
> > http://rafb.net/p/S95P6c12.html
Yes, this is a spam alright. The Message-Id alone tells so. See my rule
KB_RATWARE_MSGID in bug 5830 [1].
> second, i'd love to go and slap some ISPs a round a little for not even
> having
> an
Arvid Ephraim Picciani wrote:
On Saturday 22 March 2008 19:52:46 SM wrote:
He was referring to the URL that is wrapped into two lines with the
quoted-printable encoding. It is parsed correctly.
so thats no error or invalid markup? ok well in this case... sorry for the
false alert.
At 11:37 22-03-2008, Arvid Ephraim Picciani wrote:
een">http://ec=xzpmi.oldbuild.cn/?175217540350";>Das b
see the "="?
imo it should be takes as spam sign. no sane person pasts such urls unless
he/she intends to bypass url checks.
The sender's MUA formats and encodes the message. The URL may
On Saturday 22 March 2008 19:52:46 SM wrote:
> He was referring to the URL that is wrapped into two lines with the
> quoted-printable encoding. It is parsed correctly.
so thats no error or invalid markup? ok well in this case... sorry for the
false alert.
--
best regards/Mit freundlichen Grüße
At 11:27 22-03-2008, Justin Mason wrote:
what is the URL you think it's missing?
He was referring to the URL that is wrapped into two lines with the
quoted-printable encoding. It is parsed correctly.
Regards,
-sm
On Saturday 22 March 2008 19:27:15 Justin Mason wrote:
> works for me:
> Content analysis details: (14.3 points, 5.0 required)
wow that was fast. 5 minutes ago it was in none of those lists. now i get 14.8
points too.
> what is the URL you think it's missing?
that one:
> Contains an URL list
On Saturday 22 March 2008 19:10:03 Arvid Ephraim Picciani wrote:
> http://rafb.net/p/S95P6c12.html
i forgot two things:
thats a dynamic ip from telecomitalia. i'm getting lots of spam from there but
the ips are in no dynamic list. is there a more complete list of dynamic
hosts? i've seen sorbs d
Arvid Ephraim Picciani writes:
> Hi,
> seems that spammers are leaving encoding characters in the urls to make SA
> unable to parse it. my mailprogram (kmail currently) displays those urls
> _without_ the leftovers.
> http://rafb.net/p/S95P6c12.html
> i suggest taking this kind of obfuscation as
Hi,
seems that spammers are leaving encoding characters in the urls to make SA
unable to parse it. my mailprogram (kmail currently) displays those urls
_without_ the leftovers.
http://rafb.net/p/S95P6c12.html
i suggest taking this kind of obfuscation as a sign for spam (ie it should be
in the de
On Fri, 17 Nov 2006, Jeff Chan wrote:
> It seems that the particular URI obfuscation in:
>
> http://www.surbl.org/evidence/seruikiontunhfasnde.com.txt
>
> successfully confuses SpamAssassin 3.1.6 into not detecting the
> SURBL blacklisted URI.
How about a rule that adds
> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED]
> Sent: Saturday, November 18, 2006 10:29 AM
> To: Michael Scheidell
> Cc: users@spamassassin.apache.org
> Subject: Re: URI obfuscation that confuses SA
>
>However, it's just doing a se
Michael Scheidell wrote:
> When I past that (with the munged) in it I get a nasa web site.
> (maybe google built into firefox finds the nasa site)
>
>
> http://8ZC*2/F3B.seruikiontuMUNGED.com/?LHN-+IA-
>
>
> Scarry crap.
>
> Hey nasa: is this even something you want public?
> I will send you link i
On Sat, November 18, 2006 14:45, Justin Mason wrote:
> http://8ZC*2/F3B.seruikiontuMUNGED.com/?LHN-+IA- >
> link
> Surely that doesn't work. certainly doesn't with any of my MUAs! anyone
> got a copy of Lookout or Outlook Express they can test with?
fedora core 6 x86_64 firefox 1.5.0.8 display
.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Saturday, November 18, 2006 8:46 AM
> To: Matt Kettler
> Cc: Jeff Chan; SpamAssassin Users
> Subject: Re: URI obfuscation that confuses SA
>
>
>
> Matt Kettler writes:
> > Jeff
Matt Kettler writes:
> Jeff Chan wrote:
> > It seems that the particular URI obfuscation in:
> >
> > http://www.surbl.org/evidence/seruikiontunhfasnde.com.txt
> >
> > successfully confuses SpamAssassin 3.1.6 into not detecting the
> > SURBL blacklisted UR
Jeff Chan wrote:
> It seems that the particular URI obfuscation in:
>
> http://www.surbl.org/evidence/seruikiontunhfasnde.com.txt
>
> successfully confuses SpamAssassin 3.1.6 into not detecting the
> SURBL blacklisted URI.
>
Does that even work as a link? Doesn't
On Tue, May 17, 2005 at 03:53:38AM -0700, Jeff Chan wrote:
> Apparently the backslash at the end of the URI throws off some
> parsers such as (unpatched) 3.0.1. Hopefully the same patch that
> catches just : at the end of URIs, etc. also catches these.
Not really. 3.0 doesn't deal with it, 3.1 w
Can someone check if 3.03 or 3.1 catches this URI obfuscation
spotted in recent spams:
http://hyahlarzvz96ckva9nsn9zvs9.tnashbsv.com\";>Check
it Out
Apparently the backslash at the end of the URI throws off some
parsers such as (unpatched) 3.0.1. Hopefully the same pa
Jeff Chan <[EMAIL PROTECTED]> writes:
> SpamCop got fooled by this URI obfuscation, so I wrote them about
> it. Would someone please feed it through SA to see if it handles
> it correctly:
It doesn't matter because the message had a score of 19. In 2.64, it
had a score
Jeff Chan wrote to SpamAssassin Users:
Update on the previous, interestingly the HTML renderer in The Bat!
1.62q did not make the link clickable, but the plaintext message
renderer did.
That's because the HTML did not actually contain a link (anchor); just
the plaintext URI. Many plaintext renderer
Update on the previous, interestingly the HTML renderer in The
Bat! 1.62q did not make the link clickable, but the plaintext
message renderer did.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
SpamCop got fooled by this URI obfuscation, so I wrote them about
it. Would someone please feed it through SA to see if it handles
it correctly:
__ CUT HERE __
Return-Path: <[EMAIL PROTECTED]>
Received: from 66.170.1.10 ([221.139.191.210])
by smtp1.supranet.net (8.12.10/8.12.10
38 matches
Mail list logo
