Spam from google photos ?
These are the headers http://pastebin.com/udbDgJ8L Seems to have come from google , but is spam. I cant even read the language :)
[OT] RBLs
Hi, we have seen a recent upsurge in SPAM and would like to ask the community for recommendations on both free and commercial RBL offerings. We are currently using: Barracuda SpamRats JunkEmailFilter SpamEatingMonkey Plus the standard ones that are checked with SpamAssassin. We are also about to trial Invaluement. Any help is gratefully appreciated. -- Thanks, Phil
Re: [OT] RBLs
On 2012-01-11 12:28, --[ UxBoD ]-- wrote: Hi, we have seen a recent upsurge in SPAM and would like to ask the community for recommendations on both free and commercial RBL offerings. We are currently using: Barracuda SpamRats JunkEmailFilter SpamEatingMonkey Plus the standard ones that are checked with SpamAssassin. We are also about to trial Invaluement. Any help is gratefully appreciated. Invaluement does a great job (only tested in tagging mode)
Re: [OT] RBLs
Am 11.01.2012 12:28, schrieb --[ UxBoD ]--: Hi, we have seen a recent upsurge in SPAM and would like to ask the community for recommendations on both free and commercial RBL offerings. We are currently using: Barracuda SpamRats JunkEmailFilter SpamEatingMonkey never used this Plus the standard ones that are checked with SpamAssassin. We are also about to trial Invaluement. Any help is gratefully appreciated. -- Thanks, Phil beside spamassassin i use this rbls with postfix reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net mostly in with some selective setup, clamav milter with sanesecurity, greylist, and some postscreen configs ix.dnsbl.manitu.net perhaps is more in interest for german/euro region that was enough ever, for most global spam, for sure you need analyse your logs an make special setups related to ips ,domains etc sometimes -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [OT] RBLs
The type of SPAM we are seeing is where legit companies are having their adverts cloned and the hyperlinks changed to spammy sites. Bayes is being by-passed due to the content looking valid so it is coming down to the IPs and domains. Had one yesterday where at 06:39 it was received by one of our clients and at 06:42 it appeared on one of the RBLs. I am guessing that it must have been a huge spam mailing that hit a lot of honeypots and people all at once. Downside is not a happy client ;( -- Thanks, Phil - Original Message - Am 11.01.2012 12:28, schrieb --[ UxBoD ]--: Hi, we have seen a recent upsurge in SPAM and would like to ask the community for recommendations on both free and commercial RBL offerings. We are currently using: Barracuda SpamRats JunkEmailFilter SpamEatingMonkey never used this Plus the standard ones that are checked with SpamAssassin. We are also about to trial Invaluement. Any help is gratefully appreciated. -- Thanks, Phil beside spamassassin i use this rbls with postfix reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net mostly in with some selective setup, clamav milter with sanesecurity, greylist, and some postscreen configs ix.dnsbl.manitu.net perhaps is more in interest for german/euro region that was enough ever, for most global spam, for sure you need analyse your logs an make special setups related to ips ,domains etc sometimes -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [OT] RBLs
On 11/01/12 12:38, Robert Schetterer wrote: Am 11.01.2012 12:28, schrieb --[ UxBoD ]--: Hi, we have seen a recent upsurge in SPAM and would like to ask the community for recommendations on both free and commercial RBL offerings. We are currently using: Barracuda SpamRats JunkEmailFilter SpamEatingMonkey Hi, I use JunkEmailFilter and SpamHaus with Postfix on the front-end. reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, reject_rbl_client sbl-xbl.spamhaus.org Blocks most of the spam sent to us. Not knowingly had an FP, and no one has complained (of course I should never know;) I won't use xen. (or pbl) as I do not wish to penalise people who wish to run their own email servers on their home networks (e.g SOHO or hobbyists). But this is a matter of principle and I have the impression most use xen/pbl .spamhaus.org Additionally I use clamav-milter with SaneSecurity, and spamass-milter with Postfix. Did you consider using these? These are both easy to set-up. never used this Plus the standard ones that are checked with SpamAssassin. We are also about to trial Invaluement. Any help is gratefully appreciated. -- Thanks, Phil beside spamassassin i use this rbls with postfix reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net mostly in with some selective setup, clamav milter with sanesecurity, greylist, and some postscreen configs ix.dnsbl.manitu.net perhaps is more in interest for german/euro region that was enough ever, for most global spam, for sure you need analyse your logs an make special setups related to ips ,domains etc sometimes -- PGP is optional: 4BA78604 simon @ klunky . org simon @ klunky . co.uk I won't accept your confidentiality agreement, and your Emails are kept. ~Ö¿Ö~
Re: [OT] RBLs
Am 11.01.2012 12:57, schrieb --[ UxBoD ]--: The type of SPAM we are seeing is where legit companies are having their adverts cloned and the hyperlinks changed to spammy sites. Bayes is being by-passed due to the content looking valid so it is coming down to the IPs and domains. Had one yesterday where at 06:39 it was received by one of our clients and at 06:42 it appeared on one of the RBLs. I am guessing that it must have been a huge spam mailing that hit a lot of honeypots and people all at once. Downside is not a happy client ;( dont top post i am not seeing any relevant spam wave at now at my servers mostly everybody has its own spam, analyse your logs to find out what might fit best on your setup to filter that spam dont add blindly rbls in hope this helps by magic spam is normal these days only the unfiltered spam quota , and false positive spam quota is mostly relevant, this should be small as possible, but there will ever be spam bypass filters, react on that, with fitting targetting actions is your job as postmaster -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [OT] RBLs
On Wed, 11 Jan 2012, --[ UxBoD ]-- wrote: The type of SPAM we are seeing is where legit companies are having their adverts cloned and the hyperlinks changed to spammy sites. Bayes is being by-passed due to the content looking valid so it is coming down to the IPs and domains. Had one yesterday where at 06:39 it was received by one of our clients and at 06:42 it appeared on one of the RBLs. I am guessing that it must have been a huge spam mailing that hit a lot of honeypots and people all at once. Downside is not a happy client ;( Graylisting would be one answer to this particular senario. However it has the downside of delaying legit messages. Some clients seem to think that e-mail == IM and get PO'ed if messages don't arrive with seconds of sending. Actually had a faculty ask me how to set his T-bird to check for new messages every -second-, didn't want to wait a minute. ;( -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: [OT] RBLs
On 1/11/2012 11:51 AM, Dave Funk wrote: On Wed, 11 Jan 2012, --[ UxBoD ]-- wrote: The type of SPAM we are seeing is where legit companies are having their adverts cloned and the hyperlinks changed to spammy sites. sanesecurity hits many of these. uri filters can also assist.. surbl, uribl Bayes is being by-passed due to the content looking valid so it is coming down to the IPs and domains. Had one yesterday where at 06:39 it was received by one of our clients and at 06:42 it appeared on one of the RBLs. I am guessing that it must have been a huge spam mailing that hit a lot of honeypots and people all at once. Downside is not a happy client ;( Graylisting would be one answer to this particular senario. However it has the downside of delaying legit messages. Some clients seem to think that e-mail == IM and get PO'ed if messages don't arrive with seconds of sending. Actually had a faculty ask me how to set his T-bird to check for new messages every -second-, didn't want to wait a minute. ;( imap? -- Ken Anderson
Re: [OT] RBLs
On Wed, 11 Jan 2012, Ken A wrote: On 1/11/2012 11:51 AM, Dave Funk wrote: On Wed, 11 Jan 2012, --[ UxBoD ]-- wrote: The type of SPAM we are seeing is where legit companies are having their adverts cloned and the hyperlinks changed to spammy sites. sanesecurity hits many of these. uri filters can also assist.. surbl, uribl Bayes Problem with all those methods is that they're reactive, will not hit until -after- somebody has seen the bad crap and created filers, RBL-lists, taught Bayes, etc. The OP explicitly said that the first spam run was at 06:39 and by 06:42 it was hitting RBLs (pretty darned quick by my book;). However he has some fussy customers who weren't understanding and so was asking for a method of dealing with this. Only one I could come up with was graylisting to defer the messages until sanesecurity, uri filters, etc could catch them. is being by-passed due to the content looking valid so it is coming down to the IPs and domains. Had one yesterday where at 06:39 it was received by one of our clients and at 06:42 it appeared on one of the RBLs. I am guessing that it must have been a huge spam mailing that hit a lot of honeypots and people all at once. Downside is not a happy client ;( Graylisting would be one answer to this particular senario. However it has the downside of delaying legit messages. Some clients seem to think that e-mail == IM and get PO'ed if messages don't arrive with seconds of sending. Actually had a faculty ask me how to set his T-bird to check for new messages every -second-, didn't want to wait a minute. ;( imap? Yes, this is on an IMAP server but he was an impatient critter. I just tossed that out as an illustration of how unreasonable/impatient some people can be. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: [OT] RBLs
On 1/11/2012 5:10 PM, David B Funk wrote: Problem with all those methods is that they're reactive, will not hit until -after- somebody has seen the bad crap and created filers, RBL-lists, taught Bayes, etc. The OP explicitly said that the first spam run was at 06:39 and by 06:42 it was hitting RBLs (pretty darned quick by my book;). However he has some fussy customers who weren't understanding and so was asking for a method of dealing with this. This is actually a good argument for having a variety of good IP and URI DNSBLs. Even the fastest reacting ones are going to update, at most, once per minute. (and even that is rather rare... I think most fast-reacting ones update every ~5 minutes.) Even then, public DNSBLs have to rsync from the master to mirrors before the data is usable. For this reason, you're going to hit some DNSBLs just seconds after they updated... others are going to be a little less fresh. This is exactly why having multiple quality DNSBLs is helpful. If you check 8 different good ones instead of 2 different good ones (for example), then there is a greater chance that you'll query one of those mere seconds after it updated, and where it already had data on a new spam campaign. Along those lines, with the invaluement blacklists that I manage... we're soon going to offer a special version whereby we send an alert to trigger subscribers' rsyncs within a couple of seconds after each invaluement list's last update--thus making that reaction time even faster--and causing more spam that are at the tip of the spear to get caught. ALSO: There are OFTEN times when an IP doesn't have a chance to get caught, but it contains a domain already found on surbl, uribl, ivmURI, or DBL. Or, times when a domain hadn't had a chance to get caught yet, but the IP is caught from a previous spam campaign. But if you're not using all the best DNSBLs, you miss out on some of this! MORE: And, btw, really good /24 blacklists do _preemptively_ block much snowshoe spam, from the very 1st spam sent! -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: [OT] RBLs
On 1/11/2012 2:10 PM, David B Funk wrote: Problem with all those methods is that they're reactive, will not hit until -after- somebody has seen the bad crap and created filers, RBL-lists, taught Bayes, etc. The OP explicitly said that the first spam run was at 06:39 and by 06:42 it was hitting RBLs (pretty darned quick by my book;). However he has some fussy customers who weren't understanding and so was asking for a method of dealing with this. Only one I could come up with was graylisting to defer the messages until sanesecurity, uri filters, etc could catch them. I only apply greylisting if there's already something suspicious about the DNS (mismatching or missing forward or reverse entries), reason to believe that a connection might be from a dynamic IP, a stupid or invalid HELO/EHLO, SPF soft-fail and/or possibly a few other criteria. This setup generally allows a competently run mail server to get through on the first try without any delays at all, but gives poorly run mail servers a second chance after greylisting has given DNSBLs a bit of time to catch up. Luckily since email isn't an instant messenger, greylisting is an option. You can implement it on a per-user basis too, based on whether a user would prefer spam filters err on the side of being quick or right. Yes, this is on an IMAP server but he was an impatient critter. I just tossed that out as an illustration of how unreasonable/impatient some people can be. The point is that most modern IMAP servers support IDLE, which pushes mail to the client as soon as the server knows about it. No polling, no waiting. -- Dave Warren, CEO Hire A Hit Consulting Services http://ca.linkedin.com/in/davejwarren
Re: sa-update channel list
MS == Michael Scheidell michael.scheid...@secnap.com writes: MS #1 priority: keep your version of sa updated Hmmm, taking a look at it, I find the last update was about 2011/10/24. Too bad sa-update -D doesn't spit out the date.
Re: sa-update channel list
On 1/11/12 9:35 PM, jida...@jidanni.org wrote: MS #1 priority: keep your version of sa updated Hmmm, taking a look at it, I find the last update was about 2011/10/24. Too bad sa-update -D doesn't spit out the date. I meant your version of spamassassin. 3.3.2 was updated yesterday. if you don't have the current version of spamassassin then your sa-update channel will be older. (case in point) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update channel list
On 01/12, jida...@jidanni.org wrote: MS == Michael Scheidell michael.scheid...@secnap.com writes: MS #1 priority: keep your version of sa updated Hmmm, taking a look at it, I find the last update was about 2011/10/24. Too bad sa-update -D doesn't spit out the date. I don't remember what that update was for, but versions prior to 3.3.0 stopped getting regular updates in 2008. -- Every normal man must be tempted at times to spit upon his hands, hoist the black flag, and begin slitting throats. - Henry Louis Mencken (1880-1956) http://www.ChaosReigns.com
Re: sa-update channel list
MS == Michael Scheidell michael.scheid...@secnap.com writes: MS On 1/11/12 9:35 PM, jida...@jidanni.org wrote: MS #1 priority: keep your version of sa updated MS Hmmm, taking a look at it, I find the last update was about 2011/10/24. MS Too bad sa-update -D doesn't spit out the date. MS I meant your version of spamassassin. MS 3.3.2 was updated yesterday. MS if you don't have the current version of spamassassin then your sa-update channel will be older. (case in point) All I know is I'm using Jan 12 11:07:09.394 [21138] dbg: generic: SpamAssassin version 3.4.0-r1102360 which is obviously newer than 3.3.2.
Re: [OT] RBLs
Am 11.01.2012 23:37, schrieb Rob McEwen: On 1/11/2012 5:10 PM, David B Funk wrote: Problem with all those methods is that they're reactive, will not hit until -after- somebody has seen the bad crap and created filers, RBL-lists, taught Bayes, etc. The OP explicitly said that the first spam run was at 06:39 and by 06:42 it was hitting RBLs (pretty darned quick by my book;). However he has some fussy customers who weren't understanding and so was asking for a method of dealing with this. This is actually a good argument for having a variety of good IP and URI DNSBLs. Even the fastest reacting ones are going to update, at most, once per minute. (and even that is rather rare... I think most fast-reacting ones update every ~5 minutes.) Even then, public DNSBLs have to rsync from the master to mirrors before the data is usable. For this reason, you're going to hit some DNSBLs just seconds after they updated... others are going to be a little less fresh. This is exactly why having multiple quality DNSBLs is helpful. If you check 8 different good ones instead of 2 different good ones (for example), then there is a greater chance that you'll query one of those mere seconds after it updated, and where it already had data on a new spam campaign. Along those lines, with the invaluement blacklists that I manage... we're soon going to offer a special version whereby we send an alert to trigger subscribers' rsyncs within a couple of seconds after each invaluement list's last update--thus making that reaction time even faster--and causing more spam that are at the tip of the spear to get caught. ALSO: There are OFTEN times when an IP doesn't have a chance to get caught, but it contains a domain already found on surbl, uribl, ivmURI, or DBL. Or, times when a domain hadn't had a chance to get caught yet, but the IP is caught from a previous spam campaign. But if you're not using all the best DNSBLs, you miss out on some of this! MORE: And, btw, really good /24 blacklists do _preemptively_ block much snowshoe spam, from the very 1st spam sent! Hi Rob, read postfix archives about rbls, there are tons of info this all was discussed before, there is simply nothing very new about this theme, there might be news with comming up more use of ipv6 spam -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria