Re: Spammers, IPv6 addresses, and dnsbls

[LuKreme]

On Mar 2, 2018, at 03:54, Daniele Duca  wrote:
> I've started to notice that some (not saying names) VPS providers, when 
> offering v6 connectivity, sometimes tends to not follow the best practice of 
> giving a /64 to their customer, routing to them much smaller v6 subnets, 
> while still giving to them the usual /30 or /29 v4 subnets.

I have heard of at least one provider that assigns a single IPv6 (/128) to each 
machine, and uses a single /64 for their entire server farm (possibly a 
different /64 for each location).

The simplest solution is blacklist them until they are forced to gain clue 
points. Might not be realistic for some people, but if you don't cut them off 
from the Internet, how will they learn?

The stupid, it burns.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: IADB whitelist - again

[David Jones]

On 03/03/2018 06:26 PM, Noel Butler wrote:

On 03/03/2018 23:45, David Jones wrote:


On 03/03/2018 05:54 AM, Noel Butler wrote:

On 03/03/2018 11:40, John Hardin wrote:


On Sat, 3 Mar 2018, Noel Butler wrote:


On 03/03/2018 04:40, John Hardin wrote:


On Fri, 2 Mar 2018, Sebastian Arcus wrote:


-0.2 RCVD_IN_IADB_RDNS  RBL: IADB: Sender has reverse DNS record
[199.127.240.84 listed in iadb.isipp.com]
-0.1 RCVD_IN_IADB_SPF   RBL: IADB: Sender publishes SPF record
-0.1 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is opt-in
-0.0 RCVD_IN_IADB_SENDERID  RBL: IADB: Sender publishes Sender ID record
-0.0 RCVD_IN_IADB_LISTEDRBL: Participates in the IADB system
-0.1 RCVD_IN_IADB_DKRBL: IADB: Sender publishes Domain Keys record
-0.1 RCVD_IN_IADB_VOUCHED   RBL: ISIPP IADB lists as vouched-for sender

I am concerned when the default settings in SA effectively 
facilitate marketing companies to stuff my Inbox full of junk.


-0.6 points makes the difference?

Perhaps the default scores need to be reviewed, but simply having the
rules isn't problematic.


Have to agree with him, it can make all the difference in some cases,
I'd prefer to see the rules stay, but all at score 0


If you have properly tuned SA for your mail flow and added local 
rules/plugins, these default IADB scores should not cause real spam to 
score under the default 5.0 threshold.



-0.001 surely... 0 = disabled = breaks dependencies.


That would be acceptable :)


Some us have very fine tuned SA's, and use less than 5.0 which was 
acceptable 10 years ago, but not in recent times, so a few .1's can mean 
user gets spam, V user doesnt get spam - I know what I prefer.




That's great.  It means you know what you are doing when you change the 
default threshold to less than 5.0.  In that case you need to change a 
lot of other scores down too including RCVD_IN_IADB_* and the KAM.cf 
rules probably score way too high for you as well.


From what I have seen on this mailing list recommended for most SA 
admins is to leave the default threshold of 5.0 and bump up the BAYES 
scores once you have a well-trained Bayes DB.  Augment default scores 
with meta rules that combine rule hits to "amplify" some scores a bit 
based on your mail flow and current spam campaigns.


--
David Jones

Re: Portable Executables that end in .gif/.jpg

[Leandro]

2018-03-03 23:21 GMT-03:00 Alex :

> Hi,
>
> I'm curious what people use to avoid malware executable being bypassed
> because their extensions are typically associated with file types that
> are not normally executable?
>
> https://twitter.com/jepayneMSFT/status/969742842410094593
>
> Do you just rely on clamav? Do you do any types of checks of the
> actual bytes in the file to confirm they're in line with what that
> file type should be?
>

Yes Alex! Our URIBL script does a magic number check and other checks, if
the file does not have a executable extension, to see if it is a masked
executable file:

https://www.dropbox.com/s/5aorrijafw5ygk0/uribl.pl?dl=0

The script will send to Clamav any executable file, even masked.

If you have any masked executable, that this script ignores, just send it
to me because I can improve this check OK?


>
> How would this even present itself in an email?
>

If you use our script, no matter how it will present. Just check all
attachments on it, including HTML of body.