Re: spam CAUGHT, now how to catch spammer

2010-09-07 Thread jdow 

I suspect that entire 23 subnet is sour and should be blocked.

{^_^}
- Original Message - 
From: "Martin Gregorie" 

Sent: Tuesday, 2010/September/07 17:18



On Tue, 2010-09-07 at 16:05 -0700, jdow wrote:

whois 67.50.37.35


There's something odd about that IP all right. I got this:

$ host 67.50.37.35
35.37.50.67.in-addr.arpa domain name pointer zone35.tribalhostland.com.

but "host zone35.tribalhostland.com" just says 3(NXDOMAIN) and
attempts to use whois on the domain name says its an unknown domain.


Martin

Re: unblacklist_from_rcvd

2010-09-07 Thread Matt Kettler 

 On 9/7/2010 7:11 PM, William Taylor wrote:

I want to be able to only allow a certain email to be sent from one of several 
hosts.

Currently im doing something like:

blacklist_from  sa...@foo.com
whitelist_from_rcvd sa...@foo.com mail.foo.com
whitelist_from_rcvd sa...@foo.com sales.foo.com

This doesn't really do what I want because the blacklist and whitelist scores 
cancel each other out.

I saw talk in the past (2002?) about adding a unblacklist_from_rcvd

what I really want is a
blacklist_from sa...@foo.com
unblacklist_from_rcvd sa...@foo.com mail.foo.com

OR

only_allow_from_rcvd sa...@foo.com mail.foo.com


What are my options for to accomplish this?

SA does not have any support for this.

The unblacklist commands do exist, but will only remove an entry that 
they match *EXACTLY*. Their function is implemented as "if this is 
found, delete it", and are intended to allow a user_prefs to completely 
delete site-wide white/blacklist entries. They cannot be used to create 
a blacklist with "holes" in it.


You can negate a blacklist with a whitelist, but the scores simply 
offset, as you've seen.


It is possible to change the scores of the whitelist rule, to make it 
larger in magnitude than the blacklist rule, and thus keeping some 
negative score..

i.e: adding this to your local.cf:

score USER_IN_WHITELIST -120.000

Would cause any white/black overlap to result in a -20 score. However, 
any whitelists without overlap would now get -120 instead of -100... 
That may or may not be an issue for you, but it is one approach to the 
problem you have.



see also man Mail::SpamAssassin::Conf:

unwhitelist_from_rcvd a...@ress.com
Used to override a default whitelist_from_rcvd entry, so for example
a distribution whitelist_from_rcvd can be overridden in a local.cf
file, or an individual user can override a whitelist_from_rcvd entry
in their own "user_prefs" file.

The specified email address has to match exactly the address
previously used in a whitelist_from_rcvd line.

Re: spam CAUGHT, now how to catch spammer

2010-09-07 Thread Martin Gregorie 
On Tue, 2010-09-07 at 16:05 -0700, jdow wrote:
> whois 67.50.37.35
>
There's something odd about that IP all right. I got this:

$ host 67.50.37.35
35.37.50.67.in-addr.arpa domain name pointer zone35.tribalhostland.com.

but "host zone35.tribalhostland.com" just says 3(NXDOMAIN) and
attempts to use whois on the domain name says its an unknown domain.


Martin

unblacklist_from_rcvd

2010-09-07 Thread William Taylor 
I want to be able to only allow a certain email to be sent from one of several 
hosts.

Currently im doing something like:

blacklist_from  sa...@foo.com
whitelist_from_rcvd sa...@foo.com mail.foo.com
whitelist_from_rcvd sa...@foo.com sales.foo.com

This doesn't really do what I want because the blacklist and whitelist scores 
cancel each other out.

I saw talk in the past (2002?) about adding a unblacklist_from_rcvd

what I really want is a
blacklist_from sa...@foo.com
unblacklist_from_rcvd sa...@foo.com mail.foo.com

OR

only_allow_from_rcvd sa...@foo.com mail.foo.com


What are my options for to accomplish this?

Thanks,
  William

Re: spam CAUGHT, now how to catch spammer

2010-09-07 Thread jdow 

From: "John Hardin" 
Sent: Tuesday, 2010/September/07 10:02



On Tue, 7 Sep 2010, Per Jessen wrote:


John Hardin wrote:


Sorry to mislead. SPAM was caught by spamassassin.
How can I get this guy stopped?
IP addresses are: 67.50.37.35,.36,.69,.75


Ah. Yes, that's a different question.

(1) Find out who owns those network addresses.

Use tools like http://enc.com.au/itools/inetnum.php and
http://enc.com.au/itools/person.php to do that.


whois will also tell you.


True, but at the time I was composing that message both command-line whois
and several US-based web UIs were returning a "unable to return results 
due to high traffic" message.


Works from here, John.
===8<---
whois 67.50.37.35
[Querying whois.arin.net]
[Redirected to whois.integraonline.com:43]
[Querying whois.integraonline.com]
[whois.integraonline.com]
%rwhois V-1.5:003fff:00 adns5 (by Network Solutions, Inc. V-1.5.7.2)
network:Auth-Area:67.50.0.0/15
network:Class-Name:network
network:ID:67-50-36-0/23-NET
network:Network-Name:67-50-36-0/23-NET
network:IP-Network:67.50.36.0/23
network:Org-Name;I:GIGLINX INC
network:Street-Address:250 STOCKTON AVE
network:City:SANTA CLARA
network:State:CA
network:Postal-Code:95126
network:Country-Code:US
network:Admin-Contact;I:ITIA-ARIN
network:Tech-Contact;I:ITIA-ARIN
network:Updated:2010-02-24
network:Updated-By:tradz...@integra.net

network:Auth-Area:67.50.0.0/15
network:Class-Name:network
network:ID:67-50-0-0/15-NET
network:Network-Name:67-50-0-0/15-NET
network:IP-Network:67.50.0.0/15
network:Org-Name;I:ELI-NETWORK-ELIX
network:Street-Address:1201 NE Lloyd Blvd, Ste 500
network:City:Portland
network:State:OR
network:Postal-Code:97232
network:Country-Code:US
network:Admin-Contact;I:ITIA-ARIN
network:Tech-Contact;I:ITIA-ARIN
network:Updated:2009-12-03
network:Updated-By:hostmas...@integra.net

%error 350 Invalid Query Syntax
%ok
===8<---
I'm not sure where the error 350 came from. GIGLINX or ELI-NETWORK-ELIX
may have a bad setup.

GIGLINX may be a formal spam source. The address "looks" bad to me. 95126
is San Jose. I don't know if it includes Santa Clara or not. (I'm not
familiar with that area.) I'd email integra.net about it at abuse,
hostmaster, and after an MTR run integra's upstream provider.

It's easier to simply let it accumulate and get a decent picture of what
the spam hydra is doing of late, which is about 3 times the volume of a
month ago. 

{^_^}

Re: spam CAUGHT, now how to catch spammer

2010-09-07 Thread Chris 
On Tue, 2010-09-07 at 10:02 -0700, John Hardin wrote:
> On Tue, 7 Sep 2010, Per Jessen wrote:
> 
> > John Hardin wrote:
> >
> >>> Sorry to mislead. SPAM was caught by spamassassin.
> >>> How can I get this guy stopped?
> >>> IP addresses are: 67.50.37.35,.36,.69,.75
> >>
> >> Ah. Yes, that's a different question.
> >>
> >> (1) Find out who owns those network addresses.
> >>
> >> Use tools like http://enc.com.au/itools/inetnum.php and
> >> http://enc.com.au/itools/person.php to do that.
> >
> > whois will also tell you.
> 
> True, but at the time I was composing that message both command-line whois
> and several US-based web UIs were returning a "unable to return results 
> due to high traffic" message.
> 

John, I missed the beginning of this post so I guess you originally sent
it. Anyway here is a way you can track this down:

first telnet to whois.cymru.com port 43:
which gives you:
67.50.37.35
AS  | IP   | AS Name
7385| 67.50.37.35  | INTEGRATELECOM - Integra Telecom, Inc.

Then telnet to whois.ra.net port 43:

telnet whois.ra.net 43
Trying 198.108.0.8...
Connected to radb3.merit.edu (198.108.0.8).
Escape character is '^]'.
as7385
aut-num:AS7385
as-name:Integra
descr:  INTEGRA TELECOM
admin-c:Network Services
tech-c: Network Services
import: from AS12003
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS3549
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS22899
accept <^AS22154+$> AND NOT {0.0.0.0/0}
import: from AS2914
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS7911
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS13857
accept <^AS13857+$> AND NOT {0.0.0.0/0}
import: from AS18463
accept <^AS18463+$> AND NOT {0.0.0.0/0}
import: from AS4587
accept <^AS4587+$> AND NOT {0.0.0.0/0}
import: from AS22154
accept <^AS22154+$> AND NOT {0.0.0.0/0}
import: from AS22899
accept <^AS22154+$> AND NOT {0.0.0.0/0}
import: from AS26676
accept <^AS26676+$> AND NOT {0.0.0.0/0}
import: from AS19441
accept <^AS19441+$> AND NOT {0.0.0.0/0}
import: from AS29984
accept <^AS29984+$> AND NOT {0.0.0.0/0}
import: from AS30629
accept <^AS30629+$> AND NOT {0.0.0.0/0}
import: from AS32810
accept <^AS32810+$> AND NOT {0.0.0.0/0}
import: from AS8
accept <^AS8+$> AND NOT {0.0.0.0/0}
import: from AS36740
accept <^AS36740+$> AND NOT {0.0.0.0/0}
import: from AS16933
accept <^AS16933+$> AND NOT {0.0.0.0/0}
import: from AS32879
accept <^AS32879+$> AND NOT {0.0.0.0/0}
import: from AS39986
accept <^AS39986+$> AND NOT {0.0.0.0/0}
export: to AS2914
announce AS-INTEGRA
export: to AS3549
announce AS-INTEGRA
export: to AS4587
announce ANY
export: to AS6993
announce AS-INTEGRA
export: to AS7911
announce AS-INTEGRA
export: to AS13857
announce ANY
export: to AS18463
announce ANY
export: to AS22154
announce ANY
export: to AS22899
announce AS-INTEGRA
export: to AS26676
announce ANY
export: to AS19441
announce ANY
export: to AS29984
announce ANY
export: to AS32810
announce ANY
export: to AS8
announce ANY
export: to AS36740
announce ANY
export: to AS16933
announce ANY
export: to AS32879
announce ANY
export: to AS39986
announce ANY
export: to AS12003
announce AS-INTEGRA7385
export: to AS3549
announce AS-INTEGRA7385
export: to AS22899
announce AS-INTEGRA7385
mnt-by: MAINT-AS7385
changed:randy.roo...@integratelecom.com 20060726
source: RADB

person:Network Services
address:   15200 NBN Way
address:   Blue Ridge Summit, PA 17214
phone: +1-301-459-3132
e-mail:networksupp...@hudsonps.com
nic-hdl:   NES4-LEVEL3
changed:   kelly.macen...@level3.como 20100518
source:LEVEL3

Then telnet whois.radb.net 43

telnet whois.radb.net 43
Trying 198.108.0.18...
Connected to whois.radb.net (198.108.0.18).
Escape character is '^]'.
MAINT-AS7385
mntner: MAINT-AS7385
descr:  Maintainer for AS7385
admin-c:Data Engineering
tech-c: Data Engineering
upd-to: b...@integra.net
mnt-nfy:b...@integra.net
auth:   CRYPT-PW HIDDENCRYPTPW
auth:   MAIL-FROM steven.raym...@integratelecom.com
auth:   MAIL-FROM kenneth.mcint...@integratelecom.com
auth:   MAIL-FROM b...@integra.net
auth:   MAIL-FROM craig.heidger...@integratelecom.com
auth:   MAIL-FROM randy.roo...@integratelecom.com
auth:

Re: Checking envelope sender

2010-09-07 Thread Joseph Brennan 




MAIL FROM: <"some rubbish words" <>>



Why doesn't sendmail reject it like it does here?

Sep  6 04:57:26 calabash sm-mta[22772]: [ID 801593 mail.notice] 
o868vKo9022772: ruleset=check_mail, arg1=<"vjaqrra scuper acntive make your 
sskexxual" <>>, relay=adsl-pool-124.157.160-227.dynamic.tttmaxnet.com 
[124.157.160.227] (may be forged), reject=553 5.5.4 <"vjaqrra scuper 
acntive make your sskexxual" <>>... Domain name required for sender address




Joseph Brennan
Columbia University Information Technology

Re: Checking envelope sender

2010-09-07 Thread John Hardin 

On Tue, 7 Sep 2010, Mike Bro wrote:


Hello,

Enviroment:
latest sendmail and latest spamassassin

I am just trying to fight with spammer that used to send too many 
emails. The pattern I discovered is that during smtp communication with 
my incoming mail server in from field he puts something like:

MAIL FROM: <"some rubbish words" <>>

That results in my qf... file as line:
S<"some rubbish words" <>>

Any idea how I could write a rule in spamassassin to test this line?


That depends on how Sendmail renders that in the message headers. It might 
change <> to 


A better tool for this particular problem is milter-regex. That will let 
you reject the guy the moment he sends that garbage.


Can you post an actual example of what he sends?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control is nothing more than an attempt to return to feudalism,
  where the peasants are helpless and must humbly petition their lord
  and master to protect them from bandits and thieves (when they can
  get around to it), and where the lords and masters can abuse the
  peasants whenever they like without fear of effective resistance.
---
 10 days until the 223rd anniversary of the signing of the U.S. Constitution

Re: spam CAUGHT, now how to catch spammer

2010-09-07 Thread John Hardin 

On Tue, 7 Sep 2010, Per Jessen wrote:


John Hardin wrote:


Sorry to mislead. SPAM was caught by spamassassin.
How can I get this guy stopped?
IP addresses are: 67.50.37.35,.36,.69,.75


Ah. Yes, that's a different question.

(1) Find out who owns those network addresses.

Use tools like http://enc.com.au/itools/inetnum.php and
http://enc.com.au/itools/person.php to do that.


whois will also tell you.


True, but at the time I was composing that message both command-line whois
and several US-based web UIs were returning a "unable to return results 
due to high traffic" message.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  So Microsoft's invented the ASCII equivalent to ugly ink spots that
  appear on your letter when your pen is malfunctioning.
 -- Greg Andrews, about Microsoft's way to encode apostrophes
---
 10 days until the 223rd anniversary of the signing of the U.S. Constitution

Re: Checking envelope sender

2010-09-07 Thread Bowie Bailey 
 On 9/7/2010 12:50 PM, Martin Gregorie wrote:
> On Tue, 2010-09-07 at 16:46 +0100, Mike Bro wrote:
>> Hello,
>>
>> Enviroment:
>> latest sendmail and latest spamassassin
>>
>> I am just trying to fight with spammer that used to send too many emails.
>> The pattern I discovered is that during smtp communication with my
>> incoming mail server in from field he puts something like:
>> MAIL FROM: <"some rubbish words" <>>
>>
>> That results in my qf... file as line:
>> S<"some rubbish words" <>>
>>
>> Any idea how I could write a rule in spamassassin to test this line?
>>
> I don't recognise "MAIL FROM:" as any sort of standard mail header.
> Telling us some header is "something like" this is not useful
> information either. 
>
> If you want help, show us *exactly* what the header looks like. Better
> yet, upload the entire mail message to Pastebin or an equivalent and
> post the URL here so we can see the entire spam.

"MAIL FROM:" is the envelope sender from the smtp dialog.  This
information is not available to SA unless your MTA writes it into the
headers.  Show us a sample message (headers and all) as Martin requested
and we may be able to help.

-- 
Bowie

Re: Checking envelope sender

2010-09-07 Thread Martin Gregorie 
On Tue, 2010-09-07 at 16:46 +0100, Mike Bro wrote:
> Hello,
> 
> Enviroment:
> latest sendmail and latest spamassassin
> 
> I am just trying to fight with spammer that used to send too many emails.
> The pattern I discovered is that during smtp communication with my
> incoming mail server in from field he puts something like:
> MAIL FROM: <"some rubbish words" <>>
> 
> That results in my qf... file as line:
> S<"some rubbish words" <>>
> 
> Any idea how I could write a rule in spamassassin to test this line?
> 
I don't recognise "MAIL FROM:" as any sort of standard mail header.
Telling us some header is "something like" this is not useful
information either. 

If you want help, show us *exactly* what the header looks like. Better
yet, upload the entire mail message to Pastebin or an equivalent and
post the URL here so we can see the entire spam.


Martin

Checking envelope sender

2010-09-07 Thread Mike Bro 
Hello,

Enviroment:
latest sendmail and latest spamassassin

I am just trying to fight with spammer that used to send too many emails.
The pattern I discovered is that during smtp communication with my
incoming mail server in from field he puts something like:
MAIL FROM: <"some rubbish words" <>>

That results in my qf... file as line:
S<"some rubbish words" <>>

Any idea how I could write a rule in spamassassin to test this line?

Thanks in advance,
Mike

Re: spam CAUGHT, now how to catch spammer

2010-09-07 Thread Per Jessen 
John Hardin wrote:

>> Sorry to mislead. SPAM was caught by spamassassin.
>> How can I get this guy stopped?
>> IP addresses are: 67.50.37.35,.36,.69,.75
> 
> Ah. Yes, that's a different question.
> 
> (1) Find out who owns those network addresses.
> 
> Use tools like http://enc.com.au/itools/inetnum.php and
> http://enc.com.au/itools/person.php to do that.

whois will also tell you.


/Per Jessen, Zürich

Re: spam CAUGHT, now how to catch spammer

2010-09-07 Thread John Hardin 

On Mon, 6 Sep 2010, Dennis German wrote:


On Sun, 5 Sep 2010, Dennis German wrote:


In the last several weeks I have been receiving a lot of spam with email 
addresses of the form:

learningmadeeasy.???...@??.yourseemlost.net
learningmadeeasy.???...@??.hisoftenusing.net
learningmadeeasy.???...@??.wheatdrinkcontrol.net
learningmadeeasy....@??.actbookfelt.net
learningmadeeasy....@??.stillstationwhether.net
learningmadeeasy....@??.legbottleloss.net

and
accountingeducation.gpx...@oiteew.badpeoplepaper.net
accountingeducation.ihd...@aapufx.stillstationwhether
accountingeducation.ionm...@wxnuab.legbottleloss.net
accountingeducation.iqle...@mlmuwx.stillstationwhethe

and

affordablelifeinsurance.aj...@wiogif.constum.net
affordablelifeinsurance.ki...@pzodkk.injecou.net

How do we stop this guy?


John, thanks for the reply.

Sorry to mislead. SPAM was caught by spamassassin.
How can I get this guy stopped?
IP addresses are: 67.50.37.35,.36,.69,.75


Ah. Yes, that's a different question.

(1) Find out who owns those network addresses.

Use tools like http://enc.com.au/itools/inetnum.php and 
http://enc.com.au/itools/person.php to do that.


(I provide .au tools as the ones in .us are overloaded at the moment.)

That tells us:
Network Number  67.50.0.0 - 67.51.255.255
Origin  AS7385
NIC Handle  NET-67-50-0-0-1
Status  Direct Allocation
DNS Servers NS2.INTEGRAONLINE.COM
NS.INTEGRAONLINE.COM
Created 2003-06-20
2000-07-05
Changed 2008-11-03
2010-03-04
Description Integra Telecom, Inc.
1201 NE Lloyd
Suite 500
Portland
OR
97232
Country United States (US)
Abuse Contact   ABUSE91-ARIN
Tech ContactITIA-ARIN

NIC Handle  ABUSE91-ARIN
Description Integra Telecom Inc.
19545 NW Von Neumann
Beaverton
OR
97006
Country United States (US)
Created 2002-10-30
Changed 2002-10-30
Phone   +1-503-748-4511 (Office)
Email   ab...@integratelecom.com

(2) Report the abuse to them.

Send an email to the abuse address reporting the offending IP addresses 
and the nature of the abuse.


They may be resellers so they may send you on to a smaller entity that 
owns those particular IP addresses


The owner will either have terms of service that prohibit spamming and 
will try to stop the abuse, or are "spam-friendly" and will ignore you, 
or possibly are a small company that is clueless and won't have any idea 
what to do.


Keep logs of the traffic for evidence. The ISP may ask for them.

Best of luck.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  After ten years (1998-2008) of draconian gun control in the State
  of Massachusetts, the results are in: firearms-related assaults up
  78%, firearms-related homicides up 67%, assault-related emergency
  room visits up 331%. Gun Control does not reduce violent crime.
---
 10 days until the 223rd anniversary of the signing of the U.S. Constitution

Re: spam caught, now how to catch spammer

2010-09-07 Thread Daniel McDonald 



On 9/5/10 8:46 PM, "Dennis German"  wrote:

> In the last several weeks I have been receiving a lot of spam with email
> addresses of the form:
> 
> learningmadeeasy.???...@??.yourseemlost.net
> 
> accountingeducation.gpx...@oiteew.badpeoplepaper.net
> 
> affordablelifeinsurance.aj...@wiogif.constum.net
> 
> How do we stop this guy?
> 
Greylisting and a good snowshoe-spammer rbl like invaluement.  Invaluement
costs a little, but our snowshoe spam has pretty much disappeared since we
enabled it. 
-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281