Re: "bout u" campaign

[David Jones]

On 07/15/2017 09:42 AM, RW wrote:

On Thu, 13 Jul 2017 18:26:54 -0400
Alex wrote:


Hi,


Are you paying for DCC? I think we're over their limit and they
blacklisted us long ago, lol.


I have my own DCC server joined into the DCC network.

https://www.dcc-servers.net/dcc/


So you only provide spam services for your own users? Or do you pay?


I am classifying about 10K ham and 8K spam each day which I also
use in the masscheck processing (currently on hold).  Since I have
started doing this


Through autolearn?

It is otherwise extremely time-intensive.


Yep.  Again my block threshold is 6.0 in MailScanner and I have
less default trust for FREEMAIL senders.  I also have meta rules
based on FREEMAIL and other hits that add to the score based on
combinations I have seen over the years.


Adjusting many of the default rules disrupts the score balance created
by masschecks, no?

I want to avoid having to juggle scores around, in addition to already
worrying about writing rules that ultimately have the same effect as
existing metas.


   2.2 ENA_DIGEST_FREEMAILFreemail account hitting message
digest spam seen by the Internet (DCC, Pyzor, or Razor).


Are you worried about overlap between the checksum systems?

I've enabled DCC again today, and remembered what I don't like about
it. Do you have DCC_CHECK at its default 1.1 score? That's quite high
for something described as "bulk mail" when bulk mail is already
scored very close to 5.0.


And with  FREEMAIL_FROM plus DCC_CHECK (or any digest) you
have

1.2 FREEMAIL_FROM
2.2 DCC_CHECK
2.2 ENA_DIGEST_FREEMAIL
0.0 ENA_BAD_SPAM

which is 5.6 points. And judging by the name, at least in some cases,
maybe all:

2.2 ENA_BAD_SPAM_FREEMAIL

which makes  7.8 points. This is something that presumably works for
him, but could cause problems in general.



I was trying to give high-level information on the difference between 
reputation-based rules and content-based rules and how they can be used 
in combination.  For FREEMAIL, I have found that making the average 
message score just below the threshold gives the maximum reliability. 
Since my threshold for blocking is 6.0, I try to get the average 
FREEMAIL message to score in the 3.0 to 5.0 range.  With well-trained 
BAYES and a few other rules that subtract (BAYES_00, good reputation, 
etc.), this is working well.  When FREEMAIL messages hit DCC and a few 
other meta rules common in spam, then they will be over 6.0 like 
mentioned above.


Each person has to examine their mail flow and scoring to determine what 
will work in there environment but the concepts should still apply.


1.  Create a large list of whitelist_auth and whitelist_from_rcvd for 
those senders that a) aren't FREEMAIL, b) aren't human mailboxes with 
potentially compromised passwords, and c) have a valid unsubscribe 
link/process.

Examples:
whitelist_auth *@*.wayfair.com
whitelist_auth *@*.dunkindonuts.com
whitelist_auth *@mktgdillards.com
whitelist_auth *@*.usaa.com
whitelist_auth *@*.citi.com
whitelist_auth *@*.sophos.com
whitelist_auth *@*.myfedloan.org
whitelist_auth *@*.hiltonhonors.com
whitelist_auth *@*.usatoday.com
whitelist_auth *@*.usbank.com


2.  Enable SHORTCIRCUIT'ing:
shortcircuit USER_IN_WHITELIST on
priority USER_IN_WHITELIST -400
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on

shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on

3. Add in extra RBL rules that aren't included with SA.  Test these with 
low scores until comfortable.  Lashback, senderscore.org, Mailspike and 
IVM if you have a subscription.


Once you tweak the above list to your email, you should have the 
reputation side covered well which will allow content-based checks to 
help with the rest of the spam.  Well-trained Bayes, ClamAV unofficial 
signatures, DCC, Razor, Pyzor, KAM.cf, custom meta rules, etc. will all 
help with the rest of the spam and you won't have to constantly react to 
the latest spam campaign.  You will still have to tweak and tune a 
little but not nearly as much as before.


--
David Jones

Re: ramsonware URI list

[Rupert Gallagher]

It is a list of obsolete uris.
Sent from ProtonMail Mobile

On Fri, Oct 14, 2016 at 10:30 AM, Nicola Piazzi  
wrote:

> ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file 
> link :
>
> https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
>
> It is very simple to make a shell script that check file changes every hour, 
> download if there is a new one, and write a rule .cf using data contained in 
> the file.
>
> But hor to write a rule ?
>
> We have more than 4000 URI in the file, we can do a single rule like this 
> separating URIs with | :
>
> uri URIRAMS 
> /http://1natureresort.com/afdIJGY8766gyu|http://1jamprofit.com/hjy93JNBasdas/
>
> describe URIRAMS Match a Ramsonware URI
>
> score URIRAMS 5.00
>
> or is better to separe each URI :
>
> uri __URIRAMS1 /http://1natureresort.com/afdIJGY8766gyu/
>
> uri __URIRAMS2 /http://1jamprofit.com/hjy93JNBasdas/
>
> meta URIRAMS (__URIRAMS1 | __URIRAMS2)
>
> describe URIRAMS Match a Ramsonware URI
>
> score URIRAMS 5.00
>
> Obviously this example is related to 2 entries, and we have 4000 entries here 
> …..
>
> Any suggestion ?
>
> Nicola PiazziCED - Sistemi
> COMET s.p.a.Via Michelino, 105 - 40127 Bologna – Italia
> Tel. +39 051.6079.293Cell. +39 328.21.73.470
> Web: [www.gruppocomet.it](http://www.gruppocomet.it/) [Descrizione: gc]

Re: ramsonware URI list

[Dianne Skoll]

My only comment on this is that shell scripting is a completely inappropriate
language to use for this.  Use a real language like Perl, Python, Ruby, or
whatever.

Regards,

Dianne.

Re: ramsonware URI list

[Axb]

On 07/16/17 06:07, Ian Zimmerman wrote:

But one still needs to signal rbldnsd to reload the data, right?


nope... no need to signal rbldnsd

see -c switch