semi-OT - reporting an organization that ignores unsubscribe requests
Gents, I somehow became subscribed to a list, political in nature, in whose mail I have no interest. This is a legitimate AFAIK, US organization. Thus far, several uses of their unsubscribe link had not provided relief. Direct email to the founder and operations manager seem to have been ignored as well. While I can just dump their mail, it offends my finely hones sense of propriety, justice and my all around good nature. Besides, it hoses me off. So, is there some "authority" to which I can report these a**holes? that might have an effect?
Re: 9D character used in words to avoid detection
On 18 Nov 2018, at 14:30, Chip M. wrote: Mark, is that the exact network image? It cannot have been, as it was missing headers that any message of its apparent lineage (all outlook.com) would have, including Content-Type as you noted as well as MIME-Version and private headers that MS adds to messages. Since Content-Type, MIME-Version, and X-MS-Exchange-SenderADCheck are supposedly signed according to the DKIM-Signature header, that also must fail.
Re: Forgery with SPF/DKIM/DMARC
On Sat, 17 Nov 2018 13:22:55 + David Jones wrote: > 2. Seems like there should be easy rules to detect more than one pair > of angle brackets and more than on at sign to add points to > non-standard display names. The reason I asked about the precise form is that it's not simply a bracketed address in the display name, the brackets need quoting so it's not syntactically correct either. The rule I suggested: header FROM_NO_COMMA From =~ />\s*<[^"]*$/ targets that specific case. The NO_COMMA part is because From: User , would be unusual, but it's legitimate and no use to a spammer because it can fail DMARC on either domain.
Re: 9D character used in words to avoid detection
Ditto to what John said, however, thanks for the spample Mark. :) Mark, is that the exact network image? If not, do you have access to it? If so, please pastebin it. By "network image", I mean not-mangled by any post filter software. Your posted spample is quoted-printable, and should have been decoded then hit some bitcoin/sextortion specific rules. In your spample, the Content headers are borked, and it wasn't recognized as qp, hence the abundant "9D" artifacts. I ran it as-is, and it scored poorly. After I manually de-borked the headers, and retested, it hit SA's "OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests. The question is, is that broken header pattern in the original, and if so, should it be detected & scored, in-and-of-itself? We'd need the most pristine original, before proceding. :) - "Chip" P.S. Sorry for the lack of Reply headers. I'm on the road, with limited tools.
Re: 9D character used in words to avoid detection.
Kevin, i think KAM_ZWNJ only triggers with "rawbody". Actual KAM.cf uses "body"... does the SA body pre-processor removes nulls?? ---PedroD On Saturday, November 17, 2018, 1:41:28 AM GMT+1, Kevin A. McGrail wrote: Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf. Please let me know if those help. --Kevin A. McGrailVP Fundraising, Apache Software FoundationChair Emeritus Apache SpamAssassin Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171 On Fri, Nov 16, 2018 at 7:37 PM John Hardin wrote: On Fri, 16 Nov 2018, Mark London wrote: > I just received a spam email with the 9D character placed inside of words, > that prevented my custom BODY rules from being hit. I.e.: > > Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready > change=9Dd it. > > Is there a way to define BODY rules, so that they will be triggered? > Thanks. No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in my sandbox. It isn't performing well in masschecks so I expect this tactic isn't widespread (yet?) I suppose I should expose it as scored in case it becomes popular... -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 596 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: : 9D character used in words to avoid detection
On Sat, 17 Nov 2018 19:10:57 -0500 Mark London wrote: > --_000_MWHPR14MB13279093501A88B114707EE3B0DD0MWHPR14MB1327namp_ > Content-Type: text/plain; charset="windows-1256" So =9D is a zero-width non-joiner. With normalize_charset this can be detected as the UTF-8 version seen before. > Do=9D no=9Dt co=9Dnsi=9Dder to=9D ma=9Dke=9D co=9Dntact with me=9D > pe=9Drso= nally o=9Dr fi=9Dnd me=9D. My understanding is that zero-width joiners and non-joiners go between two characters to control how they are typeset, so presumably they shouldn't be next to a space or punctuation mark.