Re: The most efficient SPAM implementation ever
On Sun, 11 Oct 2020, Ramon F Herrera wrote: There you go, Bill: http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM.mbox (both files are hardlinked) Those don't particularly look like revenge spamming; they look more like notifications of posts to an off-topic humor thread or, less likely, the Solidworks forum being spammed (which apparently has happened before, I saw some mention of that when doing a little research when you first posted your question). Have you tried reporting this to the admins of the Solidworks forum? Are you still an active participant in the forum? If not, perhaps just delete your account there to stop receiving notifications of forum postings. Your account may have email notification options, like "don't email me notifications", or "only mail me notifications for threads I have posted on." The latter may actually be what is happening here, if you happened to post a "can we knock off with this nonsense" type of comment to that thread and you're assuming what you're now getting is revenge spamming for doing that. The forum software may potentially offer the ability to subscribe to / unsubscribe from notifications for posts to specific forum threads; see if you can do that. This doesn't look particularly abusive or spammy to me, just legitimate notifications of posts to an OT thread (which, yes, is annoying, but not abuse). If anything this looks to me more like an issue for the Solidworks forum administrators to address, not SA. Blocking *all* mail from Solidworks for this seems an overreaction to me. But, that said, you could blcok them by telling Sendmail to reject mail that is from bounces+18101436-032c-ramon=jfknumbers@u18101436.wl187.sendgrid.net that should be consistent for all messages sent to you from Solidworks via Sendgrid. Thanks! -Ramon On 10/10/2020 11:49 AM, Bill Cole wrote: On 10 Oct 2020, at 10:52, Ramon F Herrera wrote: Hello all: I have been a very satisfied user of spamassassin for a long time. Now I am facing a challenge, a problem that I cannot resolve. Years ago I was an active participant in the SolidWorks forum: https://forum.solidworks.com Unfortunately, there is a group there who when don't approve of a thread their response is to send you a barrage of e-mails, some sort of DOS attack. I have received thousands of those, during several years. I dutifully have those messages processed by sa-learn, but it is clear that they are immune to spamassassin. Instead of going up, their score goes down. I tried another approach (suggested by some of you folks): block the sender by sendmail, as seen below. Such defensive strategy was helpful for a couple years but now the spam has come back with a vengeance. Currently, my last line of defense is the only one that recognizes that stealth spam: the Thunderbird mail client. Please help. Without actual samples of the spam, there's nothing anyone else can do to help figure out why SA isn't catching it and how it might get caught. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men, it has been well said, think in herds; it will be seen that they go mad in herds, while they only recover their senses slowly, and one by one. -- Charles MacKay, 1852 --- 23 days until the Presidential Election
Re: The most efficient SPAM implementation ever
On 11 Oct 2020, at 10:32, Ramon F Herrera wrote: Good point. spamd runs as root and sa-learn runs as 'ramon'. That scheme has worked perfectly well for years, except for that particular spam. That CAN work as long as you have spamd set up correctly for per-user Bayes. If it has worked before, we can assume that it could/should be working now and there's something special about this spam that's overriding the Bayes score. Can you provide the results of a SA scan of the messages on your machine with the SA "report" that has the rule hits and their scores? It could be something specific to your SA config that is hampering this. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: The most efficient SPAM implementation ever
On Sun, 11 Oct 2020 16:52:09 +0200 Antony Stone wrote: > 2. If it's stored in the wrong place, is there any way of > transferring or merging it back in to where it should be instead? If you dump both databases using 'sa-learn --backup' it's straightforward to conflate the two ascii files into one using a bit of script. You can then use --restore. The only problem is that if the same message has been trained differently in the two databases there will no good way to handle that. Any retraining on such messages wont be correct - at least not all of the time.
Re: The most efficient SPAM implementation ever
Ramon F Herrera skrev den 2020-10-11 17:20: I am the one who is a client of sendgrid. Before subscribing to their service (with low volume it is free) many of my messages were rejected. They provide legitimacy. Highly recommended: https://sendgrid.com/ and following this threads here your sendgrid IP would be blacklists, since no one knows you don't share this IP with otters in sendgrid, that say's i have never being in need of any forwards at all, why ? they break dkim, does not do proper openarc sealing, does not respect dmarc, and listen to users that believe forwards should support SPF, all that mess is working without forwarding emails but not so well with forward spamassassin is a well done maillist where SPF, dkim, arc, dmarc is working as it should, only thing is missing is that amavisd missing arc verify / arc signing, it should not be dkim signing on forwarded emails at all many mailman installations is asking mailman to solve more, but all they needed to do is to stop breaking dkim, and do arc sealing you should not use sendgrid IMHO, read more on why on this maillist here or SDLU
Re: The most efficient SPAM implementation ever
Antony Stone skrev den 2020-10-11 16:52: Are you running sa-learn as the same user that spamd runs as ? Running sa-learn as root won't help the scores. unless root trains global Bayes username I've been aware of this advice / requirement almost since I started using SA. most users do it incorrect still :=) However, I've never been quite sure of: 1. If you run it as the wrong user, does the data get stored in the wrong place, or is it simply lost? its stored in a incorrect database/user, its not simply lost 2. If it's stored in the wrong place, is there any way of transferring or merging it back in to where it should be instead? there is no Norton commander for spamassassin yet, but this can be solved if some do the code in Perl
Re: The most efficient SPAM implementation ever
Hello, On Sun, Oct 11, 2020 at 10:20:32AM -0500, Ramon F Herrera wrote: > On 10/11/2020 10:07 AM, Marc Roos wrote: > >Now you can decide to reject email coming from (the whole of) sendgrid. > > I am the one who is a client of sendgrid. Are you aware that you've posted this to a list where it is an ongoing topic of discussion for the last year or so how to block the torrent of spam and phishing from SendGrid without blocking the legitimate email? > They provide legitimacy. Highly recommended >From my point of view I'd prefer if people didn't use SendGrid as then it would become more feasible to block them entirely. They currently "provide legitimacy" only on the basis of them being "too big to block"; I am not sure if that is something to be encouraged by throwing them more business. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
RE: The most efficient SPAM implementation ever
> I am the one who is a client of sendgrid. Before subscribing to their service (with low volume it is free) > many of my messages were rejected. They provide legitimacy. So the problem here is actually that a spammer whines about being spammed? :D But this does confirm my idea that one should just blanket blacklist these networks, because they mostly harbour clients that were blocked and have no where else to go any more. I do not recommend using sendgrid. Going there with your legitimate services is like having your products manufactured by forced child labour which is maybe legal in that part of the world, but it is still something you do not want to be associated with.
Re: The most efficient SPAM implementation ever
On 10/11/2020 10:07 AM, Marc Roos wrote: o16789123x54.outbound-mail.sendgrid.net. The specific range of sendgrid looks like this[1]. So now you know they use sendgrid and probably have access to a 'limited' dynamic ip range. Now you can decide to reject email coming from (the whole of) sendgrid. I am the one who is a client of sendgrid. Before subscribing to their service (with low volume it is free) many of my messages were rejected. They provide legitimacy. Highly recommended: https://sendgrid.com/ Thanks! -Ramon
RE: The most efficient SPAM implementation ever
> > >I guess you are confused by my message and I am confused by yours. Allow me to clarify. Oops, did not notice jpg attachment. Better to post just text. >I have 3 lines of defense and the 2 main ones have failed. The SPAM messages are > undetected. You tell me that the best way is to treat spam is to reject it but > all my attempts to detect this particular instance, let alone reject it have > been unsuccessful. Yes these are not correct (anymore? I guess their infrastructure changed?) [@ files]$ dig +short jiveon.jivesoftware.com sendgrid.net. 167.89.123.54 167.89.115.56 [@ files]$ dig +short -x 167.89.123.54 o16789123x54.outbound-mail.sendgrid.net. The specific range of sendgrid looks like this[1]. So now you know they use sendgrid and probably have access to a 'limited' dynamic ip range. Now you can decide to reject email coming from (the whole of) sendgrid. I have created an email address and ip white list. So if someone legitimate complains. I can allow that specific email address or ip to go through. If sendgrid is getting smarter in the future you will have problems blocking just on sendgrid.net. Mailgun already switched to something like this[2]. Some spammers even change their reverse lookup just before sending. Then you have to fall back on eg. ip blacklisting. I am currently thinking about doing an asn lookup. As you can see these return the same id for different reverse configured ips of mailgun. [@ ~]# dig +short -t txt 40.151.61.209.origin.asn.cymru.com "33070 | 209.61.128.0/19 | US | arin | 2000-06-05" [@ ~]# dig +short -t txt 41.151.61.209.origin.asn.cymru.com "33070 | 209.61.128.0/19 | US | arin | 2000-06-05" [@ ~]# dig +short -t txt 42.151.61.209.origin.asn.cymru.com "33070 | 209.61.128.0/19 | US | arin | 2000-06-05" [@ ~]# dig +short -t txt 43.151.61.209.origin.asn.cymru.com Maybe also forget about the access map and switch to something like mailfromd. I think you can even reject the message with it after you analyzed the whole message body. >Line of Defense No. 1: >The sendmail 'access' file seen below. For over a year only one statement was > sufficient, as you can see now I have 11 and they all fail. Things change (fast) > >Line of Defense No. 2: >Spamassassin. It have submitted over a thousand messages as follows: > >% sa-learn --spam --mbox Mail/Junk > >Unfortunately, that command has never been able to increase the score > of the messages. > [1] 67.89.123.6o16789123x6.outbound-mail.sendgrid.net. 167.89.123.7o16789123x7.outbound-mail.sendgrid.net. 167.89.123.8o16789123x8.outbound-mail.sendgrid.net. 167.89.123.9o16789123x9.outbound-mail.sendgrid.net. 167.89.123.10 o16789123x10.outbound-mail.sendgrid.net. 167.89.123.11 o16789123x11.outbound-mail.sendgrid.net. 167.89.123.12 o16789123x12.outbound-mail.sendgrid.net. 167.89.123.13 o16789123x13.outbound-mail.sendgrid.net. 167.89.123.14 o16789123x14.outbound-mail.sendgrid.net. 167.89.123.15 o16789123x15.outbound-mail.sendgrid.net. 167.89.123.16 o16789123x16.outbound-mail.sendgrid.net. 167.89.123.17 o16789123x17.outbound-mail.sendgrid.net. 167.89.123.18 o16789123x18.outbound-mail.sendgrid.net. 167.89.123.19 o16789123x19.outbound-mail.sendgrid.net. 167.89.123.20 o16789123x20.outbound-mail.sendgrid.net. 167.89.123.21 o16789123x21.outbound-mail.sendgrid.net. 167.89.123.22 o16789123x22.outbound-mail.sendgrid.net. 167.89.123.23 o16789123x23.outbound-mail.sendgrid.net. 167.89.123.24 o16789123x24.outbound-mail.sendgrid.net. 167.89.123.25 o16789123x25.outbound-mail.sendgrid.net. 167.89.123.26 o16789123x26.outbound-mail.sendgrid.net. 167.89.123.27 o16789123x27.outbound-mail.sendgrid.net. 167.89.123.28 o16789123x28.outbound-mail.sendgrid.net. 167.89.123.29 o16789123x29.outbound-mail.sendgrid.net. 167.89.123.30 o16789123x30.outbound-mail.sendgrid.net. 167.89.123.31 o16789123x31.outbound-mail.sendgrid.net. 167.89.123.32 o16789123x32.outbound-mail.sendgrid.net. 167.89.123.33 o16789123x33.outbound-mail.sendgrid.net. 167.89.123.34 o16789123x34.outbound-mail.sendgrid.net. 167.89.123.35 o16789123x35.outbound-mail.sendgrid.net. 167.89.123.36 o16789123x36.outbound-mail.sendgrid.net. 167.89.123.37 o16789123x37.outbound-mail.sendgrid.net. ... 167.89.123.245 o16789123x245.outbound-mail.sendgrid.net. 167.89.123.246 o16789123x246.outbound-mail.sendgrid.net. 167.89.123.247 o16789123x247.outbound-mail.sendgrid.net. 167.89.123.248 o16789123x248.outbound-mail.sendgrid.net. 167.89.123.249 o16789123x249.outbound-mail.sendgrid.net. 167.89.123.250 o16789123x250.outbound-mail.sendgrid.net. 167.89.123.251 o16789123x251.outbound-mail.sendgrid.net. 167.89.123.252 o16789123x252.outbound-mail.sendgrid.net. 167.89.123.253 o16789123x253.outbound-mail.sendgrid.net. 167.89.123.254 o16789123x254.outbound-mail.sendgrid.net. 167.89.123.255 o16789123x255.outbound-mail.sendgrid.net. [2] 209.61.151.28 rs28.mailgun.us. 209.61.151.29 rs29.mailgun.us.
Re: The most efficient SPAM implementation ever
On Sunday 11 October 2020 at 16:28:12, Rick Macdougall wrote: > Hi, > > Are you running sa-learn as the same user that spamd runs as ? > > Running sa-learn as root won't help the scores. I've been aware of this advice / requirement almost since I started using SA. However, I've never been quite sure of: 1. If you run it as the wrong user, does the data get stored in the wrong place, or is it simply lost? 2. If it's stored in the wrong place, is there any way of transferring or merging it back in to where it should be instead? Thanks, Antony. -- https://tools.ietf.org/html/rfc6890 - providing 16 million IPv4 addresses for talking to yourself. Please reply to the list; please *don't* CC me.
Re: The most efficient SPAM implementation ever
Good point. spamd runs as root and sa-learn runs as 'ramon'. That scheme has worked perfectly well for years, except for that particular spam. Thanks! -Ramon On 10/11/2020 9:28 AM, Rick Macdougall wrote: Hi, Are you running sa-learn as the same user that spamd runs as ? Running sa-learn as root won't help the scores. Regards, Rick On 2020-10-11 10:03 a.m., Ramon F Herrera wrote: *Line of Defense No. 2:* Spamassassin. It have submitted over a thousand messages as follows: % sa-learn --spam --mbox Mail/Junk Unfortunately, that command has never been able to increase the score of the messages.
Re: The most efficient SPAM implementation ever
Hi, Are you running sa-learn as the same user that spamd runs as ? Running sa-learn as root won't help the scores. Regards, Rick On 2020-10-11 10:03 a.m., Ramon F Herrera wrote: *Line of Defense No. 2:* Spamassassin. It have submitted over a thousand messages as follows: % sa-learn --spam --mbox Mail/Junk Unfortunately, that command has never been able to increase the score of the messages. -- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Re: The most efficient SPAM implementation ever
These forum messages probably have a common URL in them. Use something like: blacklist_uri_host solidworks.com to score the common URL. h2h On 10/10/20 4:52 PM, Ramon F Herrera wrote: Hello all: I have been a very satisfied user of spamassassin for a long time. Now I am facing a challenge, a problem that I cannot resolve. Years ago I was an active participant in the SolidWorks forum: https://forum.solidworks.com Unfortunately, there is a group there who when don't approve of a thread their response is to send you a barrage of e-mails, some sort of DOS attack. I have received thousands of those, during several years. I dutifully have those messages processed by sa-learn, but it is clear that they are immune to spamassassin. Instead of going up, their score goes down. I tried another approach (suggested by some of you folks): block the sender by sendmail, as seen below. Such defensive strategy was helpful for a couple years but now the spam has come back with a vengeance. Currently, my last line of defense is the only one that recognizes that stealth spam: the Thunderbird mail client. Please help. TIA, -Ramon F. Herrera ps: I do not have samples right now but will collect some and post them.
