On 2023-10-12 at 10:24:11 UTC-0400 (Thu, 12 Oct 2023 10:24:11 -0400)
Ricky Boone <ricky.bo...@gmail.com>
is rumored to have said:
Thank you. It was my mistake initially, as I was under the impression
that submitting unsolicited samples wasn't preferred, and was just
intending to raise awareness for others in case they see anything
similar.
Often one of us who has access to robust mail streams can find adequate
evidence on our own. In this case the volume seems to have been rather
low.
Attached is evidence with redactions. Again, my apologies if the
original email came across as it may have, and also for the delay in
reporting (I was alerted to this yesterday afternoon).
No problem. Your analysis of the issue as a compromised SendGrid account
appears to be right, which breaks the basis for having them in the
default welcomelist.
Change committed:
# svn diff -r r1910021:r1912921 60_welcomelist_auth.cf
Index: 60_welcomelist_auth.cf
===================================================================
--- 60_welcomelist_auth.cf (revision 1910021)
+++ 60_welcomelist_auth.cf (revision 1912921)
@@ -546,7 +546,6 @@
def_welcomelist_auth *@*.directgeneral.com
def_welcomelist_auth *@*.subaru.com
def_welcomelist_auth *@*.aexp.com
-def_welcomelist_auth *@*.usssa.com
def_welcomelist_auth *@*.bestwesternrewards.com
def_welcomelist_auth *@*.email-weightwatchers.com
def_welcomelist_auth *@*.email-allstate.com
@@ -1523,7 +1522,6 @@
def_whitelist_auth *@*.directgeneral.com
def_whitelist_auth *@*.subaru.com
def_whitelist_auth *@*.aexp.com
-def_whitelist_auth *@*.usssa.com
def_whitelist_auth *@*.bestwesternrewards.com
def_whitelist_auth *@*.email-weightwatchers.com
def_whitelist_auth *@*.email-allstate.com
On Thu, Oct 12, 2023 at 8:48 AM Bill Cole
<sausers-20150...@billmail.scconsult.com> wrote:
On 2023-10-11 at 22:02:22 UTC-0400 (Wed, 11 Oct 2023 22:02:22 -0400)
Ricky Boone <ricky.bo...@gmail.com>
is rumored to have said:
My apologies.
The samples that I have contain email addresses that I am not at
liberty to share without redacting. If it's okay that there are
certain strings that are removed, I should be able to make them
available. Is there a preferred method for getting this to you?
Attached to a message here or to a bug report in the SA project
Bugzilla: https://bz.apache.org/SpamAssassin/
Ideally, just redact the local part of user addresses. Nothing else
is
really sensitive in spam, and facts like domains and IP addresses
help
validate spam analysis. For example, we wouldn't want to de-list a
domain which appears to be forged into spam.
The point of having a minimally-redacted message as an openly visible
example for removing a def_welcomelist entry is to make sure that we
aren't open to being used for mischief and can justify the removal
later
if asked to. The bar for removal is very low (being listed is a
privilege, not a right) but it can't be simply 'someone said...'
On Wed, Oct 11, 2023 at 9:25 PM Bill Cole
<sausers-20150...@billmail.scconsult.com> wrote:
On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15
-0400)
Ricky Boone <ricky.bo...@gmail.com>
is rumored to have said:
Just a heads up, it appears that usssa[.]com has had their
SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it. The domain is defined in
60_welcomelist_auth.cf with
def_welcomelist_auth/def_whitelist_auth
entries with *@*.usssa.com.
If anyone has a shareable sample spam to substantiate this, that
would
be helpful.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
