Re: Protected Sky?

[Merijn van den Kroonenberg]

> On Tue, 28 Jun 2016 16:10:12 +0200
> Reindl Harald wrote:
>
>> Am 28.06.2016 um 16:00 schrieb RW:
>> > On Mon, 27 Jun 2016 22:15:30 +0200
>> > Reindl Harald wrote:
>> >
>> >> Am 27.06.2016 um 21:27 schrieb Vincent Fox:
>> >>> I saw a reference today in my MxToolbox report, to an RBL named
>> >>> Protected Sky which had like double the listing activity of
>> >>> Spamhaus. Does anyone know anything about this outfit?
>> >>
>> >> that's a bullshit RBL with large amounts of FP's
>> >
>> > Is that on the 127.0.0.3 response?
>>
>> well, i saw a few rejects from our servers (mrons using it to reject
>> unsocred) and got that confirmed from 2 other sysadmins
>>
>> all of the sending machines where on no other RBL and on several DNSWL
>>
>> DUNNO which response they got to reject, but i only took notice that
>> this RBL exists by wrong rejections
>
> The 127.0.0.2 response is only intended for controlling greylisting.
>

I tested with the 127.0.0.3 yesterday, which is their discard list. But it
triggers on a lot of valid (ham) mail. So not a very useful RBL and if you
use it I would not assign much points...

Re: Corpus of Spam/Ham headers(Source IP) for research

[Reindl Harald]

Am 29.06.2016 um 06:45 schrieb Olivier:

Though I have devised a mechanism to generate these blacklists,  I am
not
finding a suitable evaluation metric. It would be great if somebody
could
give me a dataset of source IP addresses of emails received by your
network
which have been marked as HAM/SPAM by Spamassassin for the year 2016.


Maybe you need to be a bit more specific in what you need: when you
write "source IP", do you mean the enveloppe? The first Received-by:, the
From hearder?

I think people would be less concerned about privacy if all you ask is
in a form:

Ham
list of ham IPs

Spam
List of spam IPs

with no name or personnal data attached (the list could even be posted
to pastebin through a proxy :)


he asked *exactly the same* with "dataset of source IP addresses of 
emails received" but for a ton of relations you just need that IP and a 
PTR combined with whois lookup to get relations one would not want to be 
public




signature.asc
Description: OpenPGP digital signature

Re: Corpus of Spam/Ham headers(Source IP) for research

[Olivier]

Reindl Harald  writes:

> [1:multipart/mixed Hide]
>
>
> [1/1:text/plain Hide]
>
>
>
> Am 29.06.2016 um 06:45 schrieb Olivier:
>>> Though I have devised a mechanism to generate these blacklists,  I am
>>> not
>>> finding a suitable evaluation metric. It would be great if somebody
>>> could
>>> give me a dataset of source IP addresses of emails received by your
>>> network
>>> which have been marked as HAM/SPAM by Spamassassin for the year 2016.
>>
>> Maybe you need to be a bit more specific in what you need: when you
>> write "source IP", do you mean the enveloppe? The first Received-by:, the
>> From hearder?
>>
>> I think people would be less concerned about privacy if all you ask is
>> in a form:
>>
>> Ham
>> list of ham IPs
>>
>> Spam
>> List of spam IPs
>>
>> with no name or personnal data attached (the list could even be posted
>> to pastebin through a proxy :)
>
> he asked *exactly the same* with "dataset of source IP addresses of 
> emails received" but for a ton of relations you just need that IP and a 
> PTR combined with whois lookup to get relations one would not want to be 
> public

Your milleage may vary, but provided you have a large enough number of
users and you manage to send the corpus anonymously, all information you
give is that somewhere on Internet, a mail server did receive messages
from google.com and from hotmail.com and lists.oetiker.ch and also
gtzq.com sent you some spam.

The ratio spam/ham may indicate the approximate age of your server; you
may guess my country or my type of business from the ham; but that would
be about all of it. Unless you are engaged in high security activities,
I don't see much of a problem.

Lastly, would expect that Shivram keeps the data private, so it would not
be so much "in public".

But I can be corrected.

Best regards,

Olivier



-- 

Re: Corpus of Spam/Ham headers(Source IP) for research

[Reindl Harald]

Am 29.06.2016 um 12:35 schrieb Olivier:

Reindl Harald  writes:

Am 29.06.2016 um 06:45 schrieb Olivier:

Though I have devised a mechanism to generate these blacklists,  I am
not
finding a suitable evaluation metric. It would be great if somebody
could
give me a dataset of source IP addresses of emails received by your
network
which have been marked as HAM/SPAM by Spamassassin for the year 2016.


Maybe you need to be a bit more specific in what you need: when you
write "source IP", do you mean the enveloppe? The first Received-by:, the
From hearder?

I think people would be less concerned about privacy if all you ask is
in a form:

Ham
list of ham IPs

Spam
List of spam IPs

with no name or personnal data attached (the list could even be posted
to pastebin through a proxy :)


he asked *exactly the same* with "dataset of source IP addresses of
emails received" but for a ton of relations you just need that IP and a
PTR combined with whois lookup to get relations one would not want to be
public


Your milleage may vary, but provided you have a large enough number of
users and you manage to send the corpus anonymously, all information you
give is that somewhere on Internet, a mail server did receive messages
from google.com and from hotmail.com and lists.oetiker.ch and also
gtzq.com sent you some spam.


forget the big ones - just filter them out and look at the small ones 
where PTR/Sender is from the same domain, connect it to your destination 
domains which are easily to find out and voila you have 
comapny-to-company relations by looking at the business


a nice start for targeted phishings in the wrong hands


The ratio spam/ham may indicate the approximate age of your server; you
may guess my country or my type of business from the ham; but that would
be about all of it. Unless you are engaged in high security activities,
I don't see much of a problem.

Lastly, would expect that Shivram keeps the data private, so it would not
be so much "in public".


waht one expects don't matter when he gives out data related to his users


But I can be corrected






signature.asc
Description: OpenPGP digital signature

Re: Corpus of Spam/Ham headers(Source IP) for research

[Antony Stone]

On Wednesday 29 June 2016 at 12:42:02, Reindl Harald wrote:

> Am 29.06.2016 um 12:35 schrieb Olivier:
> > Reindl Harald  writes:
> >> 
> >> he asked *exactly the same* with "dataset of source IP addresses of
> >> emails received" but for a ton of relations you just need that IP and a
> >> PTR combined with whois lookup to get relations one would not want to be
> >> public
> > 
> > Your milleage may vary, but provided you have a large enough number of
> > users and you manage to send the corpus anonymously, all information you
> > give is that somewhere on Internet, a mail server did receive messages
> > from google.com and from hotmail.com and lists.oetiker.ch and also
> > gtzq.com sent you some spam.
> 
> forget the big ones - just filter them out and look at the small ones
> where PTR/Sender is from the same domain, connect it to your destination
> domains which are easily to find out and voila you have
> comapny-to-company relations by looking at the business

All of this is assuming the original poster asked for the emails as well.

He didn't - he asked for a list of IP addresses - well, two lists, one of ham 
and one of spam.  He didn't ask for any information about the emails 
themselves at all.

I quote from his original request:

"It would be great if somebody could give me a dataset of source IP addresses 
of emails received by your network which have been marked as HAM/SPAM by 
Spamassassin for the year 2016.  I do not require the entire SPAM/HAM emails."


Regards,


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it didn't work.

   Please reply to the list;
 please *don't* CC me.

Re: Corpus of Spam/Ham headers(Source IP) for research

[Reindl Harald]

Am 29.06.2016 um 12:59 schrieb Antony Stone:

On Wednesday 29 June 2016 at 12:42:02, Reindl Harald wrote:


Am 29.06.2016 um 12:35 schrieb Olivier:

Reindl Harald  writes:


he asked *exactly the same* with "dataset of source IP addresses of
emails received" but for a ton of relations you just need that IP and a
PTR combined with whois lookup to get relations one would not want to be
public


Your milleage may vary, but provided you have a large enough number of
users and you manage to send the corpus anonymously, all information you
give is that somewhere on Internet, a mail server did receive messages
from google.com and from hotmail.com and lists.oetiker.ch and also
gtzq.com sent you some spam.


forget the big ones - just filter them out and look at the small ones
where PTR/Sender is from the same domain, connect it to your destination
domains which are easily to find out and voila you have
comapny-to-company relations by looking at the business


All of this is assuming the original poster asked for the emails as well.

He didn't - he asked for a list of IP addresses - well, two lists, one of ham
and one of spam.  He didn't ask for any information about the emails
themselves at all.

I quote from his original request


i quoted that by myself as you can see

i don't need any more than the IP to get the maildomain in case of 
companies using their own small-business-server with no other domains


you underestimate the combination "ip from host xyz sent ham to one of 
my customers" combined with easy to find customer domains as possible 
targets




signature.asc
Description: OpenPGP digital signature

Re: Corpus of Spam/Ham headers(Source IP) for research

[Olivier]

Reindl Harald  writes:

> forget the big ones - just filter them out and look at the small ones 
> where PTR/Sender is from the same domain, connect it to your destination 
> domains which are easily to find out and voila you have 
> comapny-to-company relations by looking at the business
>
> a nice start for targeted phishings in the wrong hands

I think I understand what you mean: group the IP by type of business
(through a PRT or a whois), find a valid username in both places and
send some phising. This is mde even mor ecomplicated by the fact there
is no message count, only a list of IP, so you can only guess how many
messages may have been received from a given source (if I omit the IP of
my own domain) what I can see s a large number of IT mailing lists and
some .jp (probably spam though); it's not easy to make a business model
from that.

While possible, it seems a very complicated scenario for a very small
amount of data (how many people will send some log?). It's faster to
Google all the universities of Thailand, find valid usernames and send
the phisihing: more data, easier to reproduce/scale up/port to other
domains of activity.

Olivier

Re: Corpus of Spam/Ham headers(Source IP) for research

[Olivier]

Reindl Harald  writes:

> you underestimate the combination "ip from host xyz sent ham to one of 
> my customers" combined with easy to find customer domains as possible 
> targets

You could/should hide your identity when providing the data. In fact, I
am not even sure that Shivram needs to know your identity/mail server
address.

Olivier

Re: Corpus of Spam/Ham headers(Source IP) for research

[Reindl Harald]

Am 29.06.2016 um 13:14 schrieb Olivier:

Reindl Harald  writes:


forget the big ones - just filter them out and look at the small ones
where PTR/Sender is from the same domain, connect it to your destination
domains which are easily to find out and voila you have
comapny-to-company relations by looking at the business

a nice start for targeted phishings in the wrong hands


I think I understand what you mean: group the IP by type of business
(through a PRT or a whois), find a valid username in both places and
send some phising. This is mde even mor ecomplicated by the fact there
is no message count, only a list of IP, so you can only guess how many
messages may have been received from a given source (if I omit the IP of
my own domain) what I can see s a large number of IT mailing lists and
some .jp (probably spam though); it's not easy to make a business model
from that.


i just tried to explain why people may hestitate
spam-ip's is a no-brainer


While possible, it seems a very complicated scenario for a very small
amount of data (how many people will send some log?). It's faster to
Google all the universities of Thailand, find valid usernames and send
the phisihing: more data, easier to reproduce/scale up/port to other
domains of activity.


hard to say

when i look at my tool-chains for collect data to write rules the last 2 
years i guess spammers have also grown tool chains - find valid 
usernames is one thing


aggregate them with already collected data of outgoing servers for 
source addresses is easy (just use public mailing list archives like 
this one with the receibed headers) and you have at least a better 
chance for selecting forged senders when you know their outgoing servers 
and targets which get legit mail from there


what is a better forged from-header to one of my customers
my email or yours? :-)




signature.asc
Description: OpenPGP digital signature

Re: Corpus of Spam/Ham headers(Source IP) for research

[Rob McEwen]

On 6/29/2016 1:00 AM, Shivram Krishnan wrote:

Thank you so much for your views. I agree that your customers would not
like it if you share information. But Oliver suggested , I need only the
source IP addresses of the Spam and Ham emails , which can even be
anonymized in the last octet.


Unfortunately, accuracy and credibility goes down since there then isn't 
any easy way to audit or double-check the root cause of the classification.


For example, some people classify spam as "what our filter said was 
spam" and ham as "what our filter said was ham". For most well-run 
systems, that is going to be overall very accurate. But there can still 
be egregious mistakes. And assuming that the existing filter is 100% 
accurate leaves no room for improvement. It also has the unfortunate 
side effect of rubber stamping the most elusive spams, sent by the 
shrewdest of spammers, as ham.


If an anti-spam blacklist comes along that is very good at blocking 
messages that are unsolicited and not desired by end users... but sent 
by the most shrewd spammer who evade lists like SpamHaus and SURBL (at 
least for some time)... and where the collateral damage for listing such 
domains and sending IPs is non-existent... such a blacklist might STILL 
fare badly in such a rating system... which would then MISTAKENLY assume 
that such a blacklist has many False Positives.


Stats collected from user complaints about False Negatives can also be 
helpful. However, for snowshoe spam, that is often a lagging 
indicator... sometimes days behind reality--where the spammer has 
already moved to new domains/IPs--but such could help such a ratings 
system to make wise adjustments to past ham/spam stats.


Hijacked IP and domains is another sticky issue. Over the past several 
years, this has become epidemic! If the volume of legit usage is 
relatively low, and the IP or domain has been hijacked by a spammer... 
then at SOME point, an anti-spam blacklist should not be penalized for 
listing such. In fact, Spamhaus does this frequently (lists hijacked 
domains/IPs where the cost/benefit ratio for that listing is well 
justified). Some other lists also blacklist hijacked domains/IPs... but 
are often not as good at making proper cost/benefit ratio decisions... 
where they list somewhat large senders who had a somewhat small and 
short-lived spam outbreak. Finding a way to penalize or reward the lists 
that block hijacked domains/IPs that Spamhaus misses, based on whether 
they do (or don't do) a good job of making overall good decisions about 
the cost/benefit ration of a potential listing's collateral damage... is 
also tricky.


My main point is... how to reward blacklists that are more accurate, but 
without penalizing them for not being a redundant copy of Zen. It isn't 
as easy as it sounds in a ratings system. (even if real life usage of 
such by a hoster or ISP can quickly lead to fewer complains from 
customers about about FP and FNs)


--
Rob McEwen

Re: Catching well directed spear phishing messages

[Bill Cole]

On 28 Jun 2016, at 10:31, Jari Fredriksson wrote:

> Sure, but the case now is that the FROM != 'company adress' as this info
> is not even show to the user. What is shown is the CEO Name only. I
> could't even find a setting for this behaviour in my MUA!

That's a broken-by-design MUA.

signature.asc
Description: OpenPGP digital signature

Re: Catching well directed spear phishing messages

[Dianne Skoll]

On Wed, 29 Jun 2016 10:31:47 -0400
"Bill Cole"  wrote:

> On 28 Jun 2016, at 10:31, Jari Fredriksson wrote:

> > Sure, but the case now is that the FROM != 'company adress' as this
> > info is not even show to the user. What is shown is the CEO Name
> > only. I could't even find a setting for this behaviour in my MUA!

> That's a broken-by-design MUA.

Almost all MUAs I've ever used hide the From: address in favour of
the full name if it is present.  And most of them have no option for
revealing the address, either.

My alter ego complained about this back in 2012 on the DMARC list, but
was given a lot of pushback... which makes DMARC essentially useless for
preventing spoofing.  Great.  Another half-assed protocol that doesn't
solve the problem it's supposed to solve.

http://lists.dmarc.org/pipermail/dmarc-discuss/2012-February/000189.html

Regards,

Dianne.


pgpL6Bzb02Uxw.pgp
Description: OpenPGP digital signature

Re: Corpus of Spam/Ham headers(Source IP) for research

[Bill Cole]

On 29 Jun 2016, at 1:00, Shivram Krishnan wrote:


Hello Bill,

Thank you so much for your views. I agree that your customers would 
not
like it if you share information. But Oliver suggested , I need only 
the

source IP addresses of the Spam and Ham emails , which can even be
anonymized in the last octet.

Will that still be a privacy concern?


No, but there would still be a data collection and preparation cost that 
is substantial and a fundamental study design problem: you have no 
controls for data validity or sampling issues.


In total honesty: if your approach to this research has been cleared by 
your faculty advisor and not stopped, that advisor is either incompetent 
or is intentionally sabotaging you. You cannot gather a valid data set 
this way and the data you are asking for cannot even be verified to be 
anything other than pure invention. If your advisor does not see that, 
they are in the wrong profession.

Re: Catching well directed spear phishing messages

[David Jones]

>From: Dianne Skoll 
>Sent: Wednesday, June 29, 2016 9:50 AM
>To: users@spamassassin.apache.org
>Subject: Re: Catching well directed spear phishing messages
    
>On Wed, 29 Jun 2016 10:31:47 -0400
>"Bill Cole"  wrote:

>> On 28 Jun 2016, at 10:31, Jari Fredriksson wrote:

>> > Sure, but the case now is that the FROM != 'company adress' as this
>> > info is not even show to the user. What is shown is the CEO Name
>> > only. I could't even find a setting for this behaviour in my MUA!

>> That's a broken-by-design MUA.

>Almost all MUAs I've ever used hide the From: address in favour of
>the full name if it is present.  And most of them have no option for
>revealing the address, either.

Mainly Microsoft Outlook and Exchange webmail?  Most webmail
interfaces will show the full From: display name with email address.

>My alter ego complained about this back in 2012 on the DMARC list, but
>was given a lot of pushback... which makes DMARC essentially useless for
>preventing spoofing.  Great.  Another half-assed protocol that doesn't
>solve the problem it's supposed to solve.

Wouldn't DMARC still protect the From: header domain even though the
MUA doesn't display it?

If everyone (really Microsoft) had some sense, they will start showing the
full display name with the email address to help users see the incorrect
domain and possibly help users notice the wrong address.  It's only going
to get worse.

Many years ago when I had to use Outlook, I had to put my email address
in my signature because Outlook would only put "David Jones" in the
reply text.  If and email was forwarded later, that recipient wouldn't be
able to reply back to me since djo...@ena.com was no where in the email
thread.  Pretty dumb if you ask me.

>http://lists.dmarc.org/pipermail/dmarc-discuss/2012-February/000189.html

>Regards,

>Dianne.

Re: Catching well directed spear phishing messages

[Dianne Skoll]

On Wed, 29 Jun 2016 15:04:04 +
David Jones  wrote:

> Mainly Microsoft Outlook and Exchange webmail?  Most webmail
> interfaces will show the full From: display name with email address.

Oh sure, if you open the message, you'll see it.  I meant to qualify
my post by saying most MUAs don't show the address in the message list
view... just the name And in my experience, most people pay no
attention at all to the headers once they open an email.

> If everyone (really Microsoft) had some sense, they will start
> showing the full display name with the email address to help users
> see the incorrect domain and possibly help users notice the wrong
> address.  It's only going to get worse.

Yep.

Regards,

Dianne.

Re: Catching well directed spear phishing messages

[Joe Quinn]

On 6/29/2016 11:12 AM, Dianne Skoll wrote:

On Wed, 29 Jun 2016 15:04:04 +
David Jones  wrote:

If everyone (really Microsoft) had some sense, they will start
showing the full display name with the email address to help users
see the incorrect domain and possibly help users notice the wrong
address.  It's only going to get worse.

Yep.
Especially after going through all the bother of extending SPF to test 
against that information to begin with.

Re: Corpus of Spam/Ham headers(Source IP) for research

[Shivram Krishnan]

Hey guys,

I see there is a lot of concern of revealing the set of Spam IP's and Ham
IP's , where one could get to know either a customer - company relation
(which may be private) and might generate suphosticated phishing attacks.
We could solve this problem , If you could submit the set of IP's by
anonymising the last octet of the IP addresses.

Also we could sign an NDA (if you are willing to provide the list) , so
that I would not make the list of IP's public.



On Wed, Jun 29, 2016 at 8:02 AM, Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 29 Jun 2016, at 1:00, Shivram Krishnan wrote:
>
> Hello Bill,
>>
>> Thank you so much for your views. I agree that your customers would not
>> like it if you share information. But Oliver suggested , I need only the
>> source IP addresses of the Spam and Ham emails , which can even be
>> anonymized in the last octet.
>>
>> Will that still be a privacy concern?
>>
>
> No, but there would still be a data collection and preparation cost that
> is substantial and a fundamental study design problem: you have no controls
> for data validity or sampling issues.
>
> In total honesty: if your approach to this research has been cleared by
> your faculty advisor and not stopped, that advisor is either incompetent or
> is intentionally sabotaging you. You cannot gather a valid data set this
> way and the data you are asking for cannot even be verified to be anything
> other than pure invention. If your advisor does not see that, they are in
> the wrong profession.
>

Re: Corpus of Spam/Ham headers(Source IP) for research

[Shivram Krishnan]

Hello Bill,

There has been enough research which has been done in this field were the
authors have obtained the data from network operators. This

for
instance is a paper from UPenn, which has collected over 31 million Mail
Headers (not only IP address) to validate their method.

We are trying to get HAM/SPAM lists from different networks, to validate
our technique, which curates Blacklists for specific Network.




On Wed, Jun 29, 2016 at 8:02 AM, Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 29 Jun 2016, at 1:00, Shivram Krishnan wrote:
>
> Hello Bill,
>>
>> Thank you so much for your views. I agree that your customers would not
>> like it if you share information. But Oliver suggested , I need only the
>> source IP addresses of the Spam and Ham emails , which can even be
>> anonymized in the last octet.
>>
>> Will that still be a privacy concern?
>>
>
> No, but there would still be a data collection and preparation cost that
> is substantial and a fundamental study design problem: you have no controls
> for data validity or sampling issues.
>
> In total honesty: if your approach to this research has been cleared by
> your faculty advisor and not stopped, that advisor is either incompetent or
> is intentionally sabotaging you. You cannot gather a valid data set this
> way and the data you are asking for cannot even be verified to be anything
> other than pure invention. If your advisor does not see that, they are in
> the wrong profession.
>

Re: Corpus of Spam/Ham headers(Source IP) for research

[Antony Stone]

On Wednesday 29 June 2016 at 17:35:28, Shivram Krishnan wrote:

> We could solve this problem , If you could submit the set of IP's by
> anonymising the last octet of the IP addresses.

What good is that going to do you in your research project?

> Also we could sign an NDA (if you are willing to provide the list) , so
> that I would not make the list of IP's public.

We are not concerned about you making it *public* - we are concerned about the 
list somehow getting into the hands of untrustworthy individuals who would 
make undesirable use of it.

If that were to happen, there is no way we could trace that use back to you 
and make a claim under the NDA, therefore it is no use.

Have you considered askng your university mail admins for such a list, from 
*their* servers?  I'm sure they process quite a good amount of email every 
year.


Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

   Please reply to the list;
 please *don't* CC me.

Re: Corpus of Spam/Ham headers(Source IP) for research

[Antony Stone]

On Wednesday 29 June 2016 at 17:38:35, Shivram Krishnan wrote:

> There has been enough research which has been done in this field were the
> authors have obtained the data from network operators. This
>  eports> for instance is a paper from UPenn, which has collected over 31
> million Mail Headers (not only IP address) to validate their method.

Page 6:

"For testing purposes, we procured approximately 31 million email headers 
collected at the University of Pennsylvania engineering email servers..."

So, I repeat the suggestion from my previous reply - go and ask your own 
university's mail admins.


Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

   Please reply to the list;
 please *don't* CC me.

Re: Corpus of Spam/Ham headers(Source IP) for research

[Shivram Krishnan]

Hello Antony,

We will be getting headers from our University. The only reason why we want
other list is that we are tailoring Blacklists for specific networks, to
see how these blacklists perform. The idea being , your network may not be
seeing the same attack vectors as what the USC network sees.


Also getting the IP's in anonymized last octet would also help , as we are
creating Blacklists in terms of Prefixes.


On Wed, Jun 29, 2016 at 8:41 AM, Antony Stone <
antony.st...@spamassassin.open.source.it> wrote:

> On Wednesday 29 June 2016 at 17:35:28, Shivram Krishnan wrote:
>
> > We could solve this problem , If you could submit the set of IP's by
> > anonymising the last octet of the IP addresses.
>
> What good is that going to do you in your research project?
>
> > Also we could sign an NDA (if you are willing to provide the list) , so
> > that I would not make the list of IP's public.
>
> We are not concerned about you making it *public* - we are concerned about
> the
> list somehow getting into the hands of untrustworthy individuals who would
> make undesirable use of it.
>
> If that were to happen, there is no way we could trace that use back to you
> and make a claim under the NDA, therefore it is no use.
>
> Have you considered askng your university mail admins for such a list, from
> *their* servers?  I'm sure they process quite a good amount of email every
> year.
>
>
> Antony.
>
> --
> The words "e pluribus unum" on the Great Seal of the United States are
> from a
> poem by Virgil entitled "Moretum", which is about cheese and garlic salad
> dressing.
>
>Please reply to the
> list;
>  please *don't* CC
> me.
>

Re: Corpus of Spam/Ham headers(Source IP) for research

[Joe Quinn]

On 6/29/2016 11:50 AM, Shivram Krishnan wrote:

Hello Antony,

We will be getting headers from our University. The only reason why we 
want other list is that we are tailoring Blacklists for specific 
networks, to see how these blacklists perform. The idea being , your 
network may not be seeing the same attack vectors as what the USC 
network sees.



Also getting the IP's in anonymized last octet would also help , as we 
are creating Blacklists in terms of Prefixes.


You should look at what masscheck does. Instead of uploading messages to 
get tested, masscheckers run the rules against their corpus locally and 
upload the match set.


Provide a mechanism for people to generate their own results, which they 
can upload with absolutely no identifying information.

Re: Corpus of Spam/Ham headers(Source IP) for research

[David Jones]

>From: Shivram Krishnan 
>Sent: Wednesday, June 29, 2016 10:50 AM
>To: Antony Stone
>Cc: users@spamassassin.apache.org
>Subject: Re: Corpus of Spam/Ham headers(Source IP) for research
  
>Hello Antony,

>We will be getting headers from our University. The only reason why we want 
>other list is that we are tailoring Blacklists for specific networks, to see 
>how these blacklists perform. The >idea being , your network may not be seeing 
>the same attack vectors  as what the USC network sees.

http://ren-isac.net/

Would this be a better source for your information?  I don't think anyone on 
this list
has spare time to extract this information for you even if we had no other 
reservations
about sharing the data.

>Also getting the IP's in anonymized last octet would also help , as we are 
>creating Blacklists in terms of Prefixes. 

Re: Catching well directed spear phishing messages

[John Hardin]

On Wed, 29 Jun 2016, David Jones wrote:


Almost all MUAs I've ever used hide the From: address in favour of
the full name if it is present.  And most of them have no option for
revealing the address, either.


Mainly Microsoft Outlook and Exchange webmail?  Most webmail
interfaces will show the full From: display name with email address.

Many years ago when I had to use Outlook, I had to put my email address
in my signature because Outlook would only put "David Jones" in the
reply text.  If and email was forwarded later, that recipient wouldn't be
able to reply back to me since djo...@ena.com was no where in the email
thread.  Pretty dumb if you ask me.


Gotta keep from scaring the users with all that complex technical computer 
language stuff...


{rolleyes}

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  One difference between a liberal and a pickpocket is that
  if you demand your money back from a pickpocket
  he will not question your motives.-- William Rusher
---
 5 days until the Juno probe arrives at Jupiter