Re: Interesting Low Scoring SPAM with odd script
On Wed, 13 Jan 2010 00:41:00 +0100 Benny Pedersen wrote: > On Tue 12 Jan 2010 07:48:23 AM CET, Christian Brel wrote > > > http://pastebin.com/m66a5a2ae > > X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) > Err, yes - I had already *highlighted* that, it was posted because the content was interesting ;-)
Re: Interesting Low Scoring SPAM with odd script
On Tue, 12 Jan 2010, Jason Bertoch wrote: > > > I'm just interested in the kind of java-script(?) munging that has > > > gone on there and what it is in 'English' for want of a better > > > phrase. > > Nothing was munged, it's just random text. > If so, what's the point to it? By no means a JS coder, and haven't dug deeper to find out, but couldn't it be pre-compiled JS and not just random text? Me neither; I'd expect some sort of flag on the
Re: Interesting Low Scoring SPAM with odd script
Jason Bertoch wrote: > By no means a JS coder, and haven't dug deeper to find out, but couldn't > it be pre-compiled JS and not just random text? > Doubtful. I don't believe JavaScript has a bytecode or any other (except in some JavaScript engines internal representation) compiled format. Francis
Re: Faked _From_ field using our domain - how to filter/score?
On Tue 12 Jan 2010 07:17:44 PM CET, Callum Millard wrote I'm sure there's a straight forward way of doing this, but after several of hours searching, I can't find it. The problem is spam with a faked 'From:' field. Spammers are sending e-mails to our domain with the 'From:' field set to a valid e-mail address from our domain. Here's an edited example: google equal sender recipient postfwd http://www.openspf.org/ add spf to your own domain and test it in your mta add sender auth to local domain in mta (smtp auth) whats left now ? cheating a little here, dkim can do it aswell, but then mta need the whole body :( -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Interesting Low Scoring SPAM with odd script
On Tue 12 Jan 2010 07:48:23 AM CET, Christian Brel wrote http://pastebin.com/m66a5a2ae X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Interesting Low Scoring SPAM with odd script
I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. If so, what's the point to it? By no means a JS coder, and haven't dug deeper to find out, but couldn't it be pre-compiled JS and not just random text?
Re: Interesting Low Scoring SPAM with odd script
John Hardin wrote: > On Tue, 12 Jan 2010, Per Jessen wrote: > >> Christian Brel wrote: >> >>> On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: >>> On 12.01.10 06:48, Christian Brel wrote: > http://pastebin.com/m66a5a2ae > > Anyone seen script like that? >>> >>> I'm just interested in the kind of java-script(?) munging that has >>> gone on there and what it is in 'English' for want of a better >>> phrase. >> >> Nothing was munged, it's just random text. > > If so, what's the point to it? > Bayes poisoning? Dunno, but it isn't executable javascript. /Per Jessen, Zürich
Re: [OT] spamalyser, was "pill image spam learns to walk"
Mike Cardwell wrote on Tue, 12 Jan 2010 20:22:44 +: > It handles remote > content like images and CSS fine tip: I would not handle remote content at all as this may lead to account verification. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: [sa] Faked _From_ field using our domain - how to filter/score?
On Tue, 12 Jan 2010, Charles Gregory wrote: On Tue, 12 Jan 2010, Callum Millard wrote: : The problem is spam with a faked 'From:' field. Spammers are sending : e-mails to our domain with the 'From:' field set to a valid e-mail : address from our domain. Unfortunately, if you permit use of your domain name as a 'From' for users on other connections (home DSL, etc), then you can only use a minimal score in SA and must look for other spamsign. If you do that you should require they use authenticated and encrypted SMTP. SPF et. al. can be bypassed if that is known. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Taking my gun away because I *might* shoot someone is like cutting my tongue out because I *might* yell "Fire!" in a crowded theater. -- Peter Venetoklis --- 5 days until Benjamin Franklin's 304th Birthday
Re: Faked _From_ field using our domain - how to filter/score?
Callum Millard wrote: [snip] > The problem is spam with a faked 'From:' field. Spammers are sending > e-mails to our domain with the 'From:' field set to a valid e-mail > address from our domain.[snip] SPF was designed just for that, not only to prevent others from accepting fake messages that pretend to come from you, also for your server to do the same. I use milter-spiff with sendmail; postfix can also use milters. Of course SPF is not only the milter or SPF tests inside spamassassin, you have to set it up on your domain DNS master. [snip] -- René Berber
Re: [sa] Faked _From_ field using our domain - how to filter/score?
On Tue, 12 Jan 2010, Callum Millard wrote: : The problem is spam with a faked 'From:' field. Spammers are sending : e-mails to our domain with the 'From:' field set to a valid e-mail : address from our domain. Key question: Can your users send mail 'From' their internal addresses via ANY intrnet connection, or MUST they use your mail server via approved internal connections? In the latter case, you can use the suggested check for domains, or set up your SPF record for your domain. Unfortunately, if you permit use of your domain name as a 'From' for users on other connections (home DSL, etc), then you can only use a minimal score in SA and must look for other spamsign. - Charles
[OT] spamalyser, was "Re: pill image spam learns to walk"
On 12/01/2010 10:24, Henrik K wrote:
Presently it renders them as plain text. I'm fully aware of the
potential problems with it. Ideally I'd like to be able to render
those parts as HTML, but I need to be 100% sure that I've stripped
out anything dangerous (including embedded remote content by
default) first. It's on the "ToDo List" page.
>>>
>>> Nice job Mike! :)
>>>
>>> I wrestled with that same issue when I added direct viewing of HTML
>>> content to my offline analysis/FP-pipeline/MassChecks tool.
>>>
>>> Originally, I was using an ActiveX wrapper around IE, which (of
>>> course) made me nervous. I added some VERY simple, crude tag
>>> stripping (script, iframe, style), but was never happy with it.
>>> I ended up switching to an open source HTML rendering component
>>> which :) lacked support for all the scary stuff.
>>>
>>> Whatever you decide to do, please do post more about it, and q'pla!
>>
>> I shall. There are a multitude of modules on cpan for fixing up html and
>> stripping out tags. I just need to find time to test them. I've got to
>> figure out how to "cleanse" the CSS as well. Eg, you can execute
>> javascript from CSS with stuff like:
>> background:url("javascript:someFunction();")
>
> IMO whatever you do, there will always be some hole to be found. Your only
> safe option is to render the HTML into image and display that. It will also
> be always consistent and not depend on browser version.
That was a good suggestion and something I hadn't considered. I've
updated Spamalyser to generate PDFs from HTML parts using the WebKit
rendering engine and QT. So the HTML should look the same as on any
Webkit based user agent. From my tests so far, it's an accurate
representation of what you see in your email client. It handles remote
content like images and CSS fine, and also content attached to the email
with Content-ID headers references by cid URIs. Here's a prime example:
http://spamalyser.com/v/jfv3iz0l/mime#part_1.2
PDF is better than an image because it allows you to maintain the links
in the document. A PNG "thumbnail" generated from the PDF is displayed
along side text/html parts. Clicking that preview image takes you to the
PDF.
I've also tweaked some of the styling so the headers are easier to read.
I've also set up a mailman based mailing list which is linked to from
http://spamalyser.com/ so if anyone wants to discuss anything further to
do with Spamalyser the discussion should probably move there. Any
further announcements will happen there, not here.
--
Mike Cardwell: UK based IT Consultant, LAMP developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/ #06920226
Technical Blog : Tech Blog - https://secure.grepular.com/blog/
Spamalyser : Spam Tool - http://spamalyser.com/
Re: Faked _From_ field using our domain - how to filter/score?
Callum Millard wrote on Tue, 12 Jan 2010 18:17:44 +: > Postfix Postfix? Easy. smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/mail/allow_recipients, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access hash:/etc/mail/access, check_sender_access hash:/etc/mail/disallow_my_domains Note the last one! Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Interesting Low Scoring SPAM with odd script
On Tue, 12 Jan 2010 10:56:09 -0800 (PST) John Hardin wrote: > On Tue, 12 Jan 2010, Per Jessen wrote: > > > Christian Brel wrote: > > > >> On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: > >> On 12.01.10 06:48, Christian Brel wrote: > http://pastebin.com/m66a5a2ae > > Anyone seen script like that? > >> > >> I'm just interested in the kind of java-script(?) munging that has > >> gone on there and what it is in 'English' for want of a better > >> phrase. > > > > Nothing was munged, it's just random text. > > If so, what's the point to it? > That was also my thought. Spammers never do something without a reason, but they do screw up. My initial thoughts were 'is this some kind of obfuscated Java-script? But the more I look at it, the less I think it is anything useful. I guess it could poison a bayes at best if marked as spam?
Re: Interesting Low Scoring SPAM with odd script
On Tue, 12 Jan 2010, Per Jessen wrote: Christian Brel wrote: On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. If so, what's the point to it? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The third basic rule of firearms safety: Keep your booger hook off the bang switch! --- 5 days until Benjamin Franklin's 304th Birthday
Faked _From_ field using our domain - how to filter/score?
I'm sure there's a straight forward way of doing this, but after several of hours searching, I can't find it. The problem is spam with a faked 'From:' field. Spammers are sending e-mails to our domain with the 'From:' field set to a valid e-mail address from our domain. Here's an edited example: > Received: from localhost (localhost.localdomain [127.0.0.1])by ourmailserver.ourDomain.ac.uk (Postfix) with ESMTP id 571FB198ACDE for ; Tue, 12 Jan 2010 15:46:07 + (GMT) X-Virus-Scanned: amavisd-new at swarthmore.org.uk X-Spam-Flag: NO X-Spam-Score: 2.162 X-Spam-Level: ** X-Spam-Status: No, score=2.162 required=4.7 tests=[AWL=-6.560, BAYES_50=0.001, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, URIBL_AB_SURBL=1.86, URIBL_BLACK=1.955] Received: from ourmailserver.ourDomain.ac.uk ([127.0.0.1]) by localhost (ourmailserver.ourDomain.ac.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GwJCdn5Rq7xr for ;Tue, 12 Jan 2010 15:45:37 + (GMT) Received-SPF: none (mass-business.com: No applicable sender policy available) receiver=dns2.swarthmore.org.uk; identity=mfrom; envelope-from="toweringtub...@mass-business.com"; helo=hbrn-5d84dddf.pool.mediaWays.net; client-ip=293.132.208.201 Received: from hbrn-5d84dddf.pool.mediaWays.net (hbrn-5d84d014.pool.mediaWays.net [293.132.208.201]) by ourmailserver.ourDomain.ac.uk (Postfix) with ESMTP id 5F4DC198ACDB for ; Tue, 12 Jan 2010 15:45:37 + (GMT) Received: from 293.132.208.201 by mass-business.com.s6a2.psmtp.com; Tue, 12 Jan 2010 16:45:35 +0100 Message-ID: <000d01ca939e$4805b590$6400a...@toweringtub507> From: To: Subject: Hi, I'm from Russia - a dream to live abroad, my name is Mary, can we get started? "I'm on this dating site - come in to me. Date: Tue, 12 Jan 2010 16:45:35 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0007_01CA939E.4805B590" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.2663 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663 Return-Path: toweringtub...@mass-business.com X-PMWin-Version: 3.0.2.0, Antivirus-Engine: 3.3.1, Antivirus-Data: 4.49G X-PureMessage: [Scanned] From: validinternalmailaddr...@ourdomain.ac.uk Sent: 12 January 2010 15:46 To: Valid User Subject: Hi, I'm from Russia - a dream to live abroad, my name is Mary, can we get started? "I'm on this dating site - come in to me. Want to know what the real Russian girls love and warmth? Just a small click < Whilst Postfix drops fake HELO's claiming to be from our domain, this has a valid HELO but a faked 'FROM:'. The problems with this are twofold: 1. It shows up as internal mail so gets -6 points or so from the auto-whitelist thus giving it a decent chance of getting through. 2. Because it has a valid 'From:' field, users are likely to open it as they think it's from another member of staff, or if they're being dim, that they sent it to themselves. Could anyone point me in the right direction to deal with this. Currently it's fine if we just drop them as there's no situation where mail originating from external networks should have a 'From:' field with our domain in it. This may change in the future if we implement external mail access and the like, so it would be useful if I knew how to drop the messages from the AWL when the 'Received: from' field or similar doesn't match the 'From:' field domain, and then give it a score as appropriate. I'm sure it's possible as Spamassassin has yet to let me down: it always cheers me up when I watch our costly alternative, Sophos' anti-spam stare dumbly at the task in hand before seeming to turn its back and let the world of spam go about its business unmolested. Having seen Sophos' attempts I've always had Spamassassin in place before Sophos and the rest get's so much as a sniff of external mail. Any pointers would be very gratefully received as my brain has sat down and given up on this and with these Adobe zero-days about, I'm getting the fear. Many thanks, Calum IT Donkey Swarthmore Centre UK NB. One further point is that Spamassassin is called and hence partially configured by Amavisd-new. Details: Fedora Core 9. Kernel 2.6.27.25-78.2.56.fc9.i686 postfix-2.5.6-1.fc9.i386 spamassassin-3.2.5-1.fc9.i386 amavisd-new-2.5.2-2.fc8.noarch (All software installed from RPMs.)
Re: Fake mailing list spam
Report the abuse to Google and reject any mail from @listserv.bounces.google.com Trademark violation? http://www.lsoft.com/corporate/trademark.asp I thought this was faked the first time I saw it. Joseph Brennan Columbia University Information Technology
[no subject]
unsubscribe
Re: [SPAM:9.6] Re: Interesting Low Scoring SPAM with odd script
On Tue, 12 Jan 2010 12:15:41 +0100 Per Jessen wrote: > Christian Brel wrote: > > > On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: > > On 12.01.10 06:48, Christian Brel wrote: > >> > http://pastebin.com/m66a5a2ae > >> > > >> > Anyone seen script like that? > >> > >> IT's the kind of content that should be captured by clamav imho. > >> clamav does have some kind og javascript decopding engine. > > > > If I'm fair to Clam, Matus, it did catch it :-) > > X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) > > > > I'm just interested in the kind of java-script(?) munging that has > > gone on there and what it is in 'English' for want of a better > > phrase. > > Nothing was munged, it's just random text. > > > /Per Jessen, Zürich > Call me suspicious ;-)
Re: Interesting Low Scoring SPAM with odd script
Christian Brel wrote: > On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: > On 12.01.10 06:48, Christian Brel wrote: >> > http://pastebin.com/m66a5a2ae >> > >> > Anyone seen script like that? >> >> IT's the kind of content that should be captured by clamav imho. >> clamav does have some kind og javascript decopding engine. > > If I'm fair to Clam, Matus, it did catch it :-) > X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) > > I'm just interested in the kind of java-script(?) munging that has > gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. /Per Jessen, Zürich
Re: Compiling error on Snapshots from svn.spamassassin.org
On Tuesday January 12 2010 11:54:55 Justin Mason wrote: > hi -- is this still occurring with latest snapshots? If so, could you > open a ticket at our bugzilla? > > On Tue, Jan 5, 2010 at 21:00, David Bayle wrote: > > - Trying to setup snapshots from > > http://svn.apache.org/snapshots/spamassassin/ > > make[1]: *** No rule to make target `sa-awl.raw', needed by `sa-awl'. Yes it does. The snapshot tarballs are missing the file sa-awl.raw. The file however _is_ present in the svn checkout, and in -rc1 and -rc2 tarballs. Mark
Re: Compiling error on Snapshots from svn.spamassassin.org
hi -- is this still occurring with latest snapshots? If so, could you open a ticket at our bugzilla? On Tue, Jan 5, 2010 at 21:00, David Bayle wrote: > Hy, > > Our setup is: > - Ubuntu 8.04 ( 2.6.26 ) > - Trying to setup snapshots from > http://svn.apache.org/snapshots/spamassassin/ > - Tested: > > spamassassin_20100104211200.tar.gz > spamassassin_20100105031200.tar.gz > spamassassin_20100105091200.tar.gz > spamassassin_20100105151200.tar.gz > > We are trying to install SA snapshot from the svn.apache.org, but we got > this error with all snapshots: > > config.status: creating config.h > /usr/bin/make -f spamc/Makefile spamc/spamc > make[2]: Entering directory `/home/dbayle/spamassassin' > gcc -g -O2 spamc/spamc.c spamc/getopt.c spamc/libspamc.c spamc/utils.c \ > -o spamc/spamc -L/usr/local/lib -ldl -lz > make[2]: Leaving directory `/home/dbayle/spamassassin' > cp spamc/spamc blib/script/spamc > /usr/bin/perl "-MExtUtils::MY" -e "MY->fixin(shift)" blib/script/spamc > /usr/bin/perl build/preprocessor -Mvars -DVERSION="3.003000" > -DPREFIX="/usr" -DDEF_RULES_DIR="/usr/share/spamassassin" > -DLOCAL_RULES_DIR="/etc/mail/spamassassin" > -DLOCAL_STATE_DIR="/var/lib/spamassassin" > -DINSTALLSITELIB="/usr/share/perl5" -DCONTACT_ADDRESS="the administrator of > that system" -Msharpbang -Mconditional -DPERL_BIN="/usr/bin/perl" > -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-learn.raw -osa-learn > cp sa-learn blib/script/sa-learn > /usr/bin/perl "-MExtUtils::MY" -e "MY->fixin(shift)" blib/script/sa-learn > make[1]: *** No rule to make target `sa-awl.raw', needed by `sa-awl'. Stop. > make[1]: Leaving directory `/home/dbayle/spamassassin' > make: *** [build-stamp] Error 2 > dpkg-buildpackage: failure: debian/rules build gave error exit status 2 > > > May you help us ? > Best regards, > ZEROSPAM technical support > > -- > ZEROSPAM Sécurité Inc. - http://www.zerospam.ca > Tél : (514) 527 3232 #210 > Fax : (514) 527 1201 > > Ce courriel a été filtré par ZEROSPAM pour votre sécurité. This email has > been scanned by ZEROSPAM for your security. zerospam.ca/ > -- --j.
Re: pill image spam learns to walk
Ted, sorry, but your case is lost (since long, look around) and I won't bite in such an off-topic discussion here. Please stop telling others that refusing to accept mail from non-rDNS machines is "incorrect". If you *prefer* to handle this at SA level, that's your choice and you can tell that. But stop saying in this authoritative way that it is the only reputable (="correct") way. It is definitely not. My last bits on this topic. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: pill image spam learns to walk
On Tue, Jan 12, 2010 at 10:15:32AM +, Mike Cardwell wrote:
> On 12/01/2010 06:28, Chip M. wrote:
>
>>> Presently it renders them as plain text. I'm fully aware of the
>>> potential problems with it. Ideally I'd like to be able to render
>>> those parts as HTML, but I need to be 100% sure that I've stripped
>>> out anything dangerous (including embedded remote content by
>>> default) first. It's on the "ToDo List" page.
>>
>> Nice job Mike! :)
>>
>> I wrestled with that same issue when I added direct viewing of HTML
>> content to my offline analysis/FP-pipeline/MassChecks tool.
>>
>> Originally, I was using an ActiveX wrapper around IE, which (of
>> course) made me nervous. I added some VERY simple, crude tag
>> stripping (script, iframe, style), but was never happy with it.
>> I ended up switching to an open source HTML rendering component
>> which :) lacked support for all the scary stuff.
>>
>> Whatever you decide to do, please do post more about it, and q'pla!
>
> I shall. There are a multitude of modules on cpan for fixing up html and
> stripping out tags. I just need to find time to test them. I've got to
> figure out how to "cleanse" the CSS as well. Eg, you can execute
> javascript from CSS with stuff like:
> background:url("javascript:someFunction();")
IMO whatever you do, there will always be some hole to be found. Your only
safe option is to render the HTML into image and display that. It will also
be always consistent and not depend on browser version.
Re: pill image spam learns to walk
On 12/01/2010 06:28, Chip M. wrote:
Presently it renders them as plain text. I'm fully aware of the
potential problems with it. Ideally I'd like to be able to render
those parts as HTML, but I need to be 100% sure that I've stripped
out anything dangerous (including embedded remote content by
default) first. It's on the "ToDo List" page.
Nice job Mike! :)
I wrestled with that same issue when I added direct viewing of HTML
content to my offline analysis/FP-pipeline/MassChecks tool.
Originally, I was using an ActiveX wrapper around IE, which (of
course) made me nervous. I added some VERY simple, crude tag
stripping (script, iframe, style), but was never happy with it.
I ended up switching to an open source HTML rendering component
which :) lacked support for all the scary stuff.
Whatever you decide to do, please do post more about it, and q'pla!
I shall. There are a multitude of modules on cpan for fixing up html and
stripping out tags. I just need to find time to test them. I've got to
figure out how to "cleanse" the CSS as well. Eg, you can execute
javascript from CSS with stuff like:
background:url("javascript:someFunction();")
I'm also aware of the issues surrounding people potentially
uploading images and then linking to them from spam websites or
spam. That's why I've put http referer restrictions in place.
Perhaps redirecting to an image saying something like
"this is spam"? :)
Then people couldn't share direct links to email parts such as images.
For example, if I went to http://spamalyser.com/v/6xnb26gp/ and clicked
on the image, it would give me a direct link to the image. I might then
IM that link to somebody. When they click on the URL, the referer wont
be valid and I don't want it to display a "This is spam" image. So what
it does is redirect you back to http://spamalyser.com/v/6xnb26gp/ and
jump to the point on the page where the image is displayed. It's a
little difficult to explain.
What about requiring registration? Yes, it's not enough to
stop the most determined, but will whittle it down to the least
stupid.
Requiring registration in order to paste emails wont get rid of the
problem. Requiring registration in order to read the pasted emails would
completely solve the problem, however I think that would also stop most
people from using the service. I'm trying to keep it simple.
Anywho, this is probably getting off topic now.
--
Mike Cardwell: UK based IT Consultant, LAMP developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/ #06920226
Technical Blog : Tech Blog - https://secure.grepular.com/blog/
Spamalyser : Spam Tool - http://spamalyser.com/
Re: Interesting Low Scoring SPAM with odd script
On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: > > http://pastebin.com/m66a5a2ae > > > > Anyone seen script like that? > > IT's the kind of content that should be captured by clamav imho. > clamav does have some kind og javascript decopding engine. If I'm fair to Clam, Matus, it did catch it :-) X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase.
Re: Interesting Low Scoring SPAM with odd script
Matus UHLAR - fantomas wrote: > On 12.01.10 06:48, Christian Brel wrote: >> http://pastebin.com/m66a5a2ae >> >> Anyone seen script like that? > > IT's the kind of content that should be captured by clamav imho. It's plain spam - personally I don't want clamav to deal with spam. > clamav does have some kind og javascript decopding engine. It's goobledegook, not really a script. /Per Jessen, Zürich
Re: Interesting Low Scoring SPAM with odd script
On 12.01.10 06:48, Christian Brel wrote: > http://pastebin.com/m66a5a2ae > > Anyone seen script like that? IT's the kind of content that should be captured by clamav imho. clamav does have some kind og javascript decopding engine. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: pill image spam learns to walk
>> Ted Mittelstaedt wrote on Mon, 11 Jan 2010 15:27:07 -0800: >>> It simply means that sites WITHOUT a PTR are still fully compliant mailers. > Kai Schaetzl wrote: >> This has nothing to do with RFC-compliance, but with policy, well >> accepted policy. On 11.01.10 20:42, Ted Mittelstaedt wrote: > Policy that should be handled in SA and not the MTA, which I've said > twice now. It would not be a policy then. There are sites/admins who enforce this policy at SMTP level. And it's their decision. If you don't have any, better do not complain to those policy makers but to your ISP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
