Re: spamcop spamassassin reporting

2013-07-20 Thread AndreaS Schamanek 
Giles Coochey wrote:
> Is there a current issue with reporting to spamcop?

I had problems, too. Though, in my case I just got a warning message on the
Spamcop web interface saying that messages sent to me were bouncing with
"5.1.0 - Unknown address error" which was very probably due to problems on
Spamcop's side. I don't know more, though.

-- 
-- Andreas




--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/spamcop-spamassassin-reporting-tp105878p105885.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Blocking new spam wave

2013-07-20 Thread Neil Schwartzman 

On Jul 19, 2013, at 10:35 PM, Andrea  wrote:

> Hi all.
> 
> Since a few days ago I'm being buried under spam messages that slip through 
> my amavis/SA setup.
> The messages all look alike: plaintext with random junk + URL in the body.
> Pastebin with a few examples here: http://g2z.me/ed64d
> 
> I've tried running a sa-update but I don't have enough samples (yet). The 
> thing that bothers me is that all the messages have been classified as HAM by 
> the auto learn (which I have now disabled).
> What could be an effective rule/ruleset to block emails like this?


The emitting IPs appear to be on some fairly prominent blacklists :

65.20.0.50 http://multirbl.valli.org/lookup/65.20.0.50.html 
Blacklisted: 10 Brownlisted: 0  Yellowlisted: 0 Whitelisted: 0
210.188.175.148 http://multirbl.valli.org/lookup/210.188.175.148.html   
Blacklisted: 14 Brownlisted: 0  Yellowlisted: 0 Whitelisted: 0
217.16.6.131 http://multirbl.valli.org/lookup/217.16.6.131.html 
Blacklisted: 17 Brownlisted: 0  Yellowlisted: 0 Whitelisted: 0


The problem, or at least part of it, is that the payloads are all redirects via 
compromised legitimate sites on hosting companies

http://prembhatiatrust . com/public-sex.html?cuzahetysu
http://auto-atendimentos . info/algerie.html?japu
http://chapcanhuocmo . vn./springbreak.html

prembhatiatrust. com | Creation Date: 23-apr-2002 | 74.208.211.99
auto-atendimentos. info |  Created On:30-Mar-2013 11:25:09 UTC  | 
173.192.200.207
chapcanhuocmo. vn | Ngày đăng ký:   04-04-2011 | 222.255.29.22


for those who care, the ultimate payloads are:

mega-hot-sites . com
hot-hot-sites . com
lovely-sites . com

all sitting on 213.183.59.30  (anders. ru)

which has a couple NS SBLed, which cover all of the payloads (1):

ns1.eliteadultsites. com213.183.59.30 SBL
ns2.eliteadultsites. com213.183.59.30 SBL

Passive DNS for 213.183.59.30_32

Records found: 31 (moved & 404 elided)

lovely-sites. com   213.183.59.30
www.lovely-sites. com   213.183.59.30
pretty-sites. com   213.183.59.30
www.pretty-sites. com   213.183.59.30
mail.pretty-sites. com  213.183.59.30
hot-hot-sites. com  213.183.59.30
www.hot-hot-sites. com  213.183.59.30
fineadultvideo. com 213.183.59.30
www.fineadultvideo. com 213.183.59.30
mega-hot-sites. com 213.183.59.30
www.mega-hot-sites. com 213.183.59.30
mail.mega-hot-sites. com213.183.59.30
cool-cool-sites. com213.183.59.30
eliteadultsites. com213.183.59.30
ns1.eliteadultsites. com213.183.59.30
ns2.eliteadultsites. com213.183.59.30
www.eliteadultsites. com213.183.59.30
mail.eliteadultsites. com   213.183.59.30
right-adult-sites. com  213.183.59.30
www.right-adult-sites. com  213.183.59.30
top-quality-sites. com  213.183.59.30
www.top-quality-sites. com  213.183.59.30

(1)
   Domain Name: COOL-COOL-SITES . com
   Registrar: BIZCN . com, INC.
   Whois Server: whois.bizcn . com
   Referral URL: http://www.bizcn . com
   Name Server: NS1.ELITEADULTSITES . com
   Name Server: NS2.ELITEADULTSITES . com
   Status: clientDeleteProhibited
   Status: clientTransferProhibited
   Updated Date: 15-jun-2013
   Creation Date: 16-nov-2012
   Expiration Date: 16-nov-2013


   Domain Name: ELITEADULTSITES . com
   Registrar: BIZCN . com, INC.
   Whois Server: whois.bizcn . com
   Referral URL: http://www.bizcn . com
   Name Server: NS1.ELITEADULTSITES . com
   Name Server: NS2.ELITEADULTSITES . com
   Status: clientDeleteProhibited
   Status: clientTransferProhibited
   Updated Date: 15-jun-2013
   Creation Date: 16-oct-2012
   Expiration Date: 16-oct-2013


   Domain Name: FINEADULTVIDEO . com
   Registrar: BIZCN . com, INC.
   Whois Server: whois.bizcn . com
   Referral URL: http://www.bizcn . com
   Name Server: NS1.ELITEADULTSITES . com
   Name Server: NS2.ELITEADULTSITES . com
   Status: clientDeleteProhibited
   Status: clientTransferProhibited
   Updated Date: 15-jun-2013
   Creation Date: 05-oct-2012
   Expiration Date: 05-oct-2013


   Domain Name: HOT-HOT-SITES . com
   Registrar: BIZCN . com, INC.
   Whois Server: whois.bizcn . com
   Referral URL: http://www.bizcn . com
   Name Server: NS1.ELITEADULTSITES . com
   Name Server: NS2.ELITEADULTSITES . com
   Status: clientDeleteProhibited
   Status: clientTransferProhibited
   Updated

Re: spamcop spamassassin reporting

2013-07-20 Thread Neil Schwartzman 

On Jul 20, 2013, at 12:16 AM, AndreaS Schamanek  
wrote:

> Giles Coochey wrote:
>> Is there a current issue with reporting to spamcop?
> 
> I had problems, too. Though, in my case I just got a warning message on the
> Spamcop web interface saying that messages sent to me were bouncing with
> "5.1.0 - Unknown address error" which was very probably due to problems on
> Spamcop's side. I don't know more, though.


On Jul 20, 2013, at 5:17 AM, SpamCop Admin  wrote:

> We were running a parallel process that caused false bounces.