Re: [mailop] Spam Filtering Trick that could be easily adapted to Spam Assassin

2016-05-18 Thread Rodgers, Anthony (DTMB) 
Didn’t we do this about 4 months back?

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Marc Perkel
Sent: Wednesday, May 18, 2016 12:58
To: mailop ; l...@spammers.dontlike.us
Subject: [mailop] Spam Filtering Trick that could be easily adapted to Spam 
Assassin

This is a spam filtering trick I'm using but it's not SA, but could be easily 
adapted to SA or other filtering systems. I thought I'd share this for other to 
use or improve upon.

Rather that just scan for regex strings it's useful to have a way to tell what 
things the message is talking about and reduce those to a single token that 
represents a concept. Then the concepts can be combined to produce rules or fed 
into Bayes for automatic scoring.

http://wiki.junkemailfilter.com/index.php/Concept_Parsing_Spam_Filter

Here's an example of concepts:



dear stranger

i need your information

offers lots of money

dying of something

worships god

bank account

transfer money

reply to me

trust me

africa

united nations

western union


Let me know if you find it useful.



--

Marc Perkel - Sales/Support

supp...@junkemailfilter.com

http://www.junkemailfilter.com

Junk Email Filter dot com

415-992-3400
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

2016-03-30 Thread Rodgers, Anthony (DTMB) 
Which is exactly what framed the tenor of my question when I originally asked 
it. Very Large Providers operate at a scale and under commercial pressures that 
most of us (including me) cannot even imagine.

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Wise
Sent: Tuesday, March 29, 2016 21:21
To: Rich Kulawiec ; mailop@mailop.org
Subject: Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

OF COURSE!
THAT'S THE SOLU...
Oh wait, that means we have to get 10x the number of servers ... and data 
centers.

Management won't like that.

So many people think that the things that work just spiffily when everything 
you do fits on a single mail server, will scale across a cluster that has tens 
if not hundreds of thousands of machines. In dozens of data centers. 
Geographically dispersed around the planet.

They don't.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Rich Kulawiec
Sent: Tuesday, March 29, 2016 6:06 PM
To: mailop@mailop.org
Subject: Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

On Wed, Mar 23, 2016 at 10:16:11AM -0700, Michael Peddemors wrote:
> For instance, if it believes
> the message is spam, and the recipient has requested that 'all'
> email be forwarded to a remote account, forwarding that email could 
> make it appear that the forwarder is the source of spam.

Solution: reject it (as spam) during the SMTP connection.  Don't
(knowingly) forward spam to anyone, anywhere, anytime.  (If someone is doing 
research and wants you to deliver it locally: fine.)

> Should you deliver malicious or harmful vectors to a person's email 
> box?  (Eg, a Virus laden attachment?)

Solution: scan it and reject it during the SMTP connection.  There's no point 
in delivering such traffic to anybody, even to those who are smart enough not 
to use highly vulnerable mail clients and operating systems.
(Same comment as above in re research.)

> What if you are in jurisdiction where delivering emails of a specific 
> content is illegal?

Solution: scan it and reject it during the SMTP connection.  If it's illegal to 
deliver, it's probably illegal to possess: so arrange matters so that you don't.

> What if the recipient has indicated that he wants it dropped, rather 
> than be delivered?

Solution: do not offer this option.


Yes, there are *still* edge cases where mail gets dropped: the one that occurs 
to me is spam addressed to a mailing list which makes it by all perimeter 
defenses and arrives in the list's queue. (Where it may be held for moderation; 
any well-run list does so with messages that don't
originate from subscribed addresses.)   Obviously it can't be
rejected any more, because the SMTP connection is closed.  And it sure 
shouldn't be distributed to everyone on the list.  So the only viable
option here is to drop it.   But the cases above are better handled
either by policies that avoid them or by the scanning that's done while the 
original SMTP connection is open.

---rsk

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c5ea9534123d1437e25d608d35838cebb%7c72f988bf86f141af91ab2d7cd011db47%7c1=5ERMlSm8JTfM8HAOEpHuW7QRRF%2fD7RIfnkeeW%2bEIdV4%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

2016-03-24 Thread Rodgers, Anthony (DTMB) 
Props, Michael.

Thanks!
--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Wise
Sent: Tuesday, March 22, 2016 13:40
To: Noel Butler ; mailop@mailop.org
Subject: Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

We have convinced some of the Powers That Be that we should find another 
solution, and there is an open-ness to change on this behavior. Not gonna be 
this week or this month ... who can say for sure. But noise is being made about 
it.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Noel Butler
Sent: Saturday, March 19, 2016 3:54 AM
To: mailop@mailop.org
Subject: Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

On 19/03/2016 09:11, Renaud Allard via mailop wrote:
> On 18/03/16 01:38, Michael Wise wrote:
>> And yes, under certain circumstances, Hotmail/Outlook will 250 the 
>> mail, and may then if it considers the IP sufficiently toxic, delete 
>> it without delivering it to the intended recipient’s INBOX or Junk 
>> folder with no NDR.
> 
> May I suppose that you agree this is something that should never 
> happen? Even if you do not have the power yourself to stop this 
> behaviour.
> 
> 
> 

They cant stop it.
This has been going on since like early 2000's, they couldnt fix cleanfeed 
then, so why you think or expect they can now is beyond me :)


-- 
If you have the urge to reply to all rather than reply to list, you best
first read  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmembers.ausics.net%2fqwerty%2f=01%7c01%7cmichael.wise%40microsoft.com%7c35fe0c8a021849ee49b908d34fe6121b%7c72f988bf86f141af91ab2d7cd011db47%7c1=uoHJkueVwKBCr2Hz6O5CP6udx0gXKrwdymbizKpa9Uk%3d

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c35fe0c8a021849ee49b908d34fe6121b%7c72f988bf86f141af91ab2d7cd011db47%7c1=%2fvIQjV5PowhdwK7SeJbUlK06RrPjSsscRMnQHyH88PE%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

2016-03-19 Thread Rodgers, Anthony (DTMB) 
“…delete it without delivering it to the intended recipient’s INBOX or Junk 
folder with no NDR…”

When did dropping mail on the floor become acceptable? Or am I just grumpy?

Nobody wants backscatter, but that’s what SMTP-time DSNs are for, no?

I realize that organizations like Outlook/Hotmail operate at a scale that I 
can’t even imagine, so I am ready and willing to be educated...

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Wise
Sent: Thursday, March 17, 2016 20:39
To: Aaron C. de Bruyn ; mailop@mailop.org
Subject: Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

Has the customer signed up for JMRP or SNDS?
Because if not, that would be step #0; see below.

And yes, under certain circumstances, Hotmail/Outlook will 250 the mail, and 
may then if it considers the IP sufficiently toxic, delete it without 
delivering it to the intended recipient’s INBOX or Junk folder with no NDR. The 
issue will be highlighted in the SNDS report, however.

And there is *NO-ONE* at Microsoft who is a contact who can get things running 
smoothly again.
The policy is cast in ferro-cement, no exceptions:


1)  Open a ticket and request mitigation for the IP(s) here: 
http://go.microsoft.com/fwlink/?LinkID=614866

2)  Wait and see what the machine thinks…

3)  If the IPs are not mitigated, reply to the email and request it, and 
provide as much detail as possible about:

A) what happened,

B)  what you did to fix it,

C)  and why it Won’t Happen Again.

As to the programs that Senders should join, they are:

Join the Junk Mail Reporting Program (JMRP)
We believe that your recipients are the best indicator that the email you are 
sending is wanted.  The JMRP program allows you to see which of your emails 
Outlook.com users have marked as junk or unwanted mail.  Reviewing the results 
in JMRP will provide to the most direct information on what characteristics of 
your email, customers, and ultimately SmartScreen®, consider to be unwanted. 
This helpful feedback mechanism allows you to ensure that mails being sent from 
your IP are not resulting in negative feedback that could impact your sending 
reputation. Being vigilant about users who mark your e-mail as unwanted or the 
types of messages that are being marked as unwanted can help you keep mailing 
lists updated with only interested users and modify future campaigns. In 
addition, monitoring user complaints can help you identify unintended mail 
traffic or detect a potentially compromised account sending unwanted mail to 
your customers. Enroll at 
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0.

Join the Smart Network Data Services program (SNDS)
The SNDS program provides data about traffic seen originating from your 
registered IP, such as mail volume and complaint rates. The data is built from 
the log files of the inbound mail machines and other servers at Outlook.com and 
Microsoft and represents factual information about the traffic from your mail 
servers to Outlook.com users. For more information about this free program 
refer to https://postmaster.live.com/snds/FAQ.aspx. To register, please go to 
http://postmaster.msn.com/snds/. (Tip: As part of the enrollment process, you 
are asked to sign the JMRP program agreement and then send a response to 
Support indicating that it has been signed.  It’s not uncommon for that step in 
the enrollment process to be missed.)

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Aaron C. de Bruyn
Sent: Thursday, March 17, 2016 5:12 PM
To: mailop@mailop.org
Subject: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

A customer complained to me they haven't been able to e-mail outlook/hotmail 
users for "a while".

I talked with their IT department and they said "A few weeks ago we had a virus 
that spammed a bunch of people.  We cleaned it up and got de-listed everywhere, 
but 
outlook.com
 is still broken".

They gave up and turfed the issue to me (an outside consulting company).

I set up a test account on 
outlook.com
 and tried sending several messages.  After

Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

2016-03-19 Thread Rodgers, Anthony (DTMB) 
“HotMail has been doing it for some time.”

Oh, I know ☺

“It’s another policy we’re trying to change.”

I appreciate that.

“And from time to time, throwing away stuff you find in the pipeline that “The 
Machine” says is toxic … has a certain appeal.”

I appreciate that also.

Thanks for the reply, and all your contributions to the list.
--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: Michael Wise [mailto:michael.w...@microsoft.com]
Sent: Friday, March 18, 2016 14:34
To: Rodgers, Anthony (DTMB) <rodger...@michigan.gov>; Aaron C. de Bruyn 
<aa...@heyaaron.com>; mailop@mailop.org
Subject: RE: [mailop] Mail accepted by outlook.com/hotmail.com disappears.


Acceptable by whom?
HotMail has been doing it for some time.
Many people external to Microsoft have noted this for some time…

It’s another policy we’re trying to change.

400+ Million customers online, tens of thousands of servers in many datacenters 
across the planet, all acting more or less as one.
And from time to time, throwing away stuff you find in the pipeline that “The 
Machine” says is toxic … has a certain appeal.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?

From: Rodgers, Anthony (DTMB) [mailto:rodger...@michigan.gov]
Sent: Friday, March 18, 2016 11:29 AM
To: Michael Wise 
<michael.w...@microsoft.com<mailto:michael.w...@microsoft.com>>; Aaron C. de 
Bruyn <aa...@heyaaron.com<mailto:aa...@heyaaron.com>>; 
mailop@mailop.org<mailto:mailop@mailop.org>
Subject: RE: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

“…delete it without delivering it to the intended recipient’s INBOX or Junk 
folder with no NDR…”

When did dropping mail on the floor become acceptable? Or am I just grumpy?

Nobody wants backscatter, but that’s what SMTP-time DSNs are for, no?

I realize that organizations like Outlook/Hotmail operate at a scale that I 
can’t even imagine, so I am ready and willing to be educated...

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Wise
Sent: Thursday, March 17, 2016 20:39
To: Aaron C. de Bruyn <aa...@heyaaron.com<mailto:aa...@heyaaron.com>>; 
mailop@mailop.org<mailto:mailop@mailop.org>
Subject: Re: [mailop] Mail accepted by outlook.com/hotmail.com disappears.

Has the customer signed up for JMRP or SNDS?
Because if not, that would be step #0; see below.

And yes, under certain circumstances, Hotmail/Outlook will 250 the mail, and 
may then if it considers the IP sufficiently toxic, delete it without 
delivering it to the intended recipient’s INBOX or Junk folder with no NDR. The 
issue will be highlighted in the SNDS report, however.

And there is *NO-ONE* at Microsoft who is a contact who can get things running 
smoothly again.
The policy is cast in ferro-cement, no exceptions:


1)  Open a ticket and request mitigation for the IP(s) here: 
http://go.microsoft.com/fwlink/?LinkID=614866<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fgo.microsoft.com%2ffwlink%2f%3fLinkID%3d614866%26clcid=01%7c01%7cMichael.Wise%40microsoft.com%7cfbc0a6844b6546a5faec08d34f5b29da%7c72f988bf86f141af91ab2d7cd011db47%7c1=sfFU93k1bRXnl3nvM53LGzrMFaF%2fYOyKtX68RcXUaHo%3d>

2)  Wait and see what the machine thinks…

3)  If the IPs are not mitigated, reply to the email and request it, and 
provide as much detail as possible about:

A) what happened,

B)  what you did to fix it,

C)  and why it Won’t Happen Again.

As to the programs that Senders should join, they are:

Join the Junk Mail Reporting Program (JMRP)
We believe that your recipients are the best indicator that the email you are 
sending is wanted.  The JMRP program allows you to see which of your emails 
Outlook.com users have marked as junk or unwanted mail.  Reviewing the results 
in JMRP will provide to the most direct information on what characteristics of 
your email, customers, and ultimately SmartScreen®, consider to be unwanted. 
This helpful feedback mechanism allows you to ensure that mails being sent from 
your IP are not resulting in negative feedback that could impact your sending 
reputation. Being vigilant about users who mark your e-mail as unwanted or the 
types of messages that are being marked as unwanted can help you keep mailing 
lists updated with only interested users and modify future campaigns. In 
addition, monitoring user complaints can help you identify unintended mail 
traffic or detect a potentially compromised account sending unwanted mail to 
your customers. Enroll at 
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0<https:

[mailop] Application for rsync access to CBL

2015-12-16 Thread Rodgers, Anthony (DTMB) 
Hi there,

We have made an application to Spamhaus for access to rsync the CBL, and 
followed up with email to 'c...@abuseat.org' as recommended in the directions, 
but have not heard back in days.

Does anyone know if rsync access to the CBL is still a thing? Has anyone been 
recently successful in obtaining it?

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] EHLO/rDNS match

2015-07-08 Thread Rodgers, Anthony (DTMB) 
Agreed. We tried this in $OLD_JOB, but it didn’t last very long…

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Franck Martin
Sent: Tuesday, July 07, 2015 14:41
To: tqr2813d376cjozqa...@tutanota.com
Cc: Brandon Long; mailop; John R Levine
Subject: Re: [mailop] EHLO/rDNS match



On Mon, Jul 6, 2015 at 5:34 PM, 
tqr2813d376cjozqa...@tutanota.commailto:tqr2813d376cjozqa...@tutanota.com 
wrote:
7. Jul 2015 00:22 by jo...@taugh.commailto:jo...@taugh.com:
-all only means something if it's by itself, ie as used to say a domain
never sends email.

The SPF crowd would claim otherwise, that -all means reject the message with or 
without other stuff, but I agree that in practice you can't do that other than 
for plain -all meaning we send no mail.



If bigger carriers like Google or Yahoo suddenly started sending perm/temp 
errors where appropriate for validation errors (too many DNS lookups, malformed 
record, etc), -all, and others it might kick enough people in the rear that the 
practice then becomes OK. Or so I would hope. :)

When you do such things, you have t figure out how many legitimate messages 
you will be blocking. You will then have to figure out, which helpdesk is going 
to explode, the sender one, or the receiver one?
Considering many people don't look at their logs nor understand bounce messages 
(they are ghastly). There is very very little incentive for a receiver to 
enforce to the letter the RFCs.
___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop