New spamming trick?
I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup Martin
Re: New spamming trick?
On 10/10/2014 01:46 PM, Martin Gregorie wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup pls pastebin a sample
Re: Site-wide bayes and individual bayes
On Wed, 8 Oct 2014 15:26:25 -0600 LuKreme wrote: Is it possible to have a site-wide bayes AND individual bayes for some users (or all users)? Not as things stand. You could use Bayes for one and a separate filter for the other. And, if not, is it generally better to do sitewide? It's hard to say, there are advantages and disadvantages either way. And, is it possible to take all the individual bayes and combine them into a stitewide db? It should be fairly straightforward to combine the results from running sa-learn --backup on multiple accounts. It's just a matter of combining the total ham/spam message counts and the counts for each token.
Re: New spamming trick?
On Fri, 10 Oct 2014 12:46:50 +0100 Martin Gregorie wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com I had List-Id: UnknownList.yahoogroupes.fr Note the e in groupes - probably the first-part, UnknownList.yahoo, would be consistent.
Re: New spamming trick?
On October 10, 2014 1:46:50 PM Martin Gregorie mar...@gregorie.org wrote: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup Did yahoo dkim sign it ? List sender domain as blacklist_from then, or maybe its even blacklist_to *@yahoogroups ?
Re: Site-wide bayes and individual bayes
On Fri, 10 Oct 2014, RW wrote: On Wed, 8 Oct 2014 15:26:25 -0600 LuKreme wrote: Is it possible to have a site-wide bayes AND individual bayes for some users (or all users)? Not as things stand. Not as things stand, possibly absent a hack like: any user who wants to use the site-wide bayes has symlinks to the shared bayes database files in their local dir. Not sure how well that would work in practice (locking if you autolearn), and it would be somewhat tedious to maintain. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim VI: If violence wasn’t your last resort, you failed to resort to enough of it. --- 862 days since the first successful private support mission to ISS (SpaceX)
Re: UTF-8 rule generator script Re: UTF-8 rules, what am I missing?
On 09/29, Jay Sekora wrote: Seems like it would be a huge convenience if either (1) turning on normalize_charset forced interpretation of rule files as UTF-8, (2) there were a similar setting to specify the encoding of rule files, or (3) there were a way on a file-by-file basis to say what charset the rules in the file were in (which is probably best since it would facilitate custom rule sharing across sites). That's off the top of my head with no thought so it may be dumb. :-) I think it's worth opening a bug. If I can copy and paste UTF8, I feel like I really should be able to paste it into a spamassassin rule.
Re: New spamming trick?
On Fri, 2014-10-10 at 14:26 +0200, Axb wrote: On 10/10/2014 01:46 PM, Martin Gregorie wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup pls pastebin a sample Here you go: http://pastebin.com/aqhcTZxH I've replaced my address is these by example.com or example.isp.com but the message is otherwise unchanged. RW: you're right (just had another from Yahoo UK - I'm about to change the rule to match UnknownList.yahoo Benny: Yes they did - after all, how can they tell a bouncing message due to a fatfingered address from one that was crafted to bounce? The examples I've seen so far have apparently been equity pumping scams. Is this also a common feature? Martin
Re: New spamming trick?
On Fri, 10 Oct 2014 12:46:50 +0100 Martin Gregorie mar...@gregorie.org wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. This is actually quite old. The only differences are what you describe later. Another old trick is to send to moderated groups as non-members and have the group moderators reject the messages. Yahoo hasn't yet figured out how to not bounce such messages, it seems.
Re: New spamming trick?
On Fri, 10 Oct 2014 12:46:50 +0100 Martin Gregorie mar...@gregorie.org wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. This is actually quite old. The only differences are what you describe later. Another old trick is to send to moderated groups as non-members and have the group moderators reject the messages. Yahoo hasn't yet figured out how to not bounce such messages, it seems. Yep. Regular backscatter that my servers block. You need something that can detect and block backscatter. MailScanner does this and an excellent prebuilt VM to check out is http://efa-project.org/. I have only seen one commercial product do backscatter detection. There may be others but I have been using MailScanner for so long that I never needed to look for other solutions.
Re: New spamming trick?
On 10/10/2014 06:59 PM, Martin Gregorie wrote: On Fri, 2014-10-10 at 14:26 +0200, Axb wrote: On 10/10/2014 01:46 PM, Martin Gregorie wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup pls pastebin a sample Here you go: http://pastebin.com/aqhcTZxH I've replaced my address is these by example.com or example.isp.com but the message is otherwise unchanged. RW: you're right (just had another from Yahoo UK - I'm about to change the rule to match UnknownList.yahoo Benny: Yes they did - after all, how can they tell a bouncing message due to a fatfingered address from one that was crafted to bounce? The examples I've seen so far have apparently been equity pumping scams. Is this also a common feature? Thanks for the sample... Was wondering why I didn't see any had an ancient Postfix header_check regex rule /^X-Yahoo-Newman-Property: groups-bounce/ REJECT (I have no use for Yahoogroups mail)
Re: New spamming trick?
On Fri, 2014-10-10 at 20:17 +0200, Axb wrote: Thanks for the sample... Was wondering why I didn't see any had an ancient Postfix header_check regex rule /^X-Yahoo-Newman-Property: groups-bounce/ REJECT Does this only appear in Yahoo groups bounce messages? If so , I'll add it to the rule and/or replace my current List-id name match. I searched for information but only found people saying 'I dunno' only with more verbosity. Apparently Yahoo doesn't publish and descriptions for these headers. (I have no use for Yahoogroups mail) Same here and extend it to include Google Groups too. Martin
Re: New spamming trick?
On October 10, 2014 6:59:40 PM Martin Gregorie Benny: Yes they did - after all, how can they tell a bouncing message due to a fatfingered address from one that was crafted to bounce? the mailerdaemon is dkim signed, the attached msg is not signed, so its not sent from yahoo imho The examples I've seen so far have apparently been equity pumping scams. Is this also a common feature? Ahh note the isp send you a dsn back for undelivered, here the isp is really yahoo, hopefully i am right, anyway its yahoo spam, block the url in bounce msg attachment with clamav
Re: New spamming trick?
On 10/10/2014 08:39 PM, Martin Gregorie wrote: On Fri, 2014-10-10 at 20:17 +0200, Axb wrote: Thanks for the sample... Was wondering why I didn't see any had an ancient Postfix header_check regex rule /^X-Yahoo-Newman-Property: groups-bounce/ REJECT Does this only appear in Yahoo groups bounce messages? If so , I'll add it to the rule and/or replace my current List-id name match. honestly, I couldn't sign that - my rule dates back to 2006 and I've never had a complaint - it's a works for me I searched for information but only found people saying 'I dunno' only with more verbosity. Apparently Yahoo doesn't publish and descriptions for these headers. (I have no use for Yahoogroups mail) Same here and extend it to include Google Groups too. I don't remember GooGroups bounces being an annoyance.. but one never knows..
Re: New spamming trick?
On Fri, 2014-10-10 at 20:49 +0200, Benny Pedersen wrote: On October 10, 2014 6:59:40 PM Martin Gregorie Benny: Yes they did - after all, how can they tell a bouncing message due to a fatfingered address from one that was crafted to bounce? the mailerdaemon is dkim signed, the attached msg is not signed, so its not sent from yahoo imho True enough: I thought you were asking if the bounce message had been signed, which it had - by Yahoo. As that message is only an attachment that originally came from elsewhere, I'd have thought a DKIM sig on it was irrelevant. The examples I've seen so far have apparently been equity pumping scams. Is this also a common feature? Ahh note the isp send you a dsn back for undelivered, here the isp is really yahoo, Of course. I see it because the sender was forged, but I wouldn't call it Yahoo spam unless you can tell me how Yahoo is meant to tell a misspelt group name from one that's a deliberate mismatch. Martin
Re: spamd does not start
On 10.10.2014 3:35, LuKreme wrote: On Tuesday, October 7, 2014, 10:56:54 PM, LuKreme wrote: On 07 Oct 2014, at 11:45 , Jari Fredrisson ja...@iki.fi wrote: I ran sa-update sa-compile. Should sa-compile be run after sa-update? Of course it should. I assumed where I wrote . I was writing email, not bash. signature.asc Description: OpenPGP digital signature
Regarding mass-check access
Hi, I sent an email to priv...@spamassassin.apache.org regarding access to mass-check back on the first of September. Is anybody out there? :) -- staticsafe https://staticsafe.ca
Re: Regarding mass-check access
On 10/10/2014 4:19 PM, staticsafe wrote: I sent an email to priv...@spamassassin.apache.org regarding access to mass-check back on the first of September. Is anybody out there? :) It likely did not make it through moderation as I never saw it. Sorry, please resend and cc me.
Re: Regarding mass-check access
On 10/10/2014 16:29, Kevin A. McGrail wrote: It likely did not make it through moderation as I never saw it. Sorry, please resend and cc me. Thanks, I have resent the email. -- staticsafe https://staticsafe.ca
Re: New spamming trick?
On Fri, 2014-10-10 at 21:03 +0200, Axb wrote: On 10/10/2014 08:39 PM, Martin Gregorie wrote: On Fri, 2014-10-10 at 20:17 +0200, Axb wrote: Thanks for the sample... Was wondering why I didn't see any had an ancient Postfix header_check regex rule /^X-Yahoo-Newman-Property: groups-bounce/ REJECT Does this only appear in Yahoo groups bounce messages? If so , I'll add it to the rule and/or replace my current List-id name match. honestly, I couldn't sign that - my rule dates back to 2006 and I've never had a complaint - it's a works for me OK, understood. Thanks. I searched for information but only found people saying 'I dunno' only with more verbosity. Apparently Yahoo doesn't publish and descriptions for these headers. (I have no use for Yahoogroups mail) Same here and extend it to include Google Groups too. I don't remember GooGroups bounces being an annoyance.. but one never knows.. I don't know about GG either - only that I don't/won't use them while NNTP: newsreaders suit me much better than the web forum type of interface. Martin
Re: Regarding mass-check access
Hi, I sent an email to priv...@spamassassin.apache.org regarding access to mass-check back on the first of September. Is anybody out there? :) -- staticsafe https://staticsafe.ca I did too and never heard anything. I would like to help out this project in anyway that I can.