Re: Sudden surge in spam appearing to come from my email address
Oh well, this was my own goof then I guess. I run sendmail, and I'm a programmer, but I don't do email for a living, so I only learn things as I pick them up slowly. On 7/15/2023 5:05 PM, Noel Butler wrote: On 16/07/2023 04:44, Cathryn Mataga wrote: Someone has figured a way to use gmail to spam from their servers, looks like to me. huh? They have been doing this for YEARS, google don't care because they get to scan (inspect) all the mail, even in transit, that's not "tinfoil hat" rubbish either since they long admit it. it's why anyone who whitelists gmail is a fool (much like those who use gmail in the first place), we in fact add a positive score for all google/gmail connections -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
Re: Sudden surge in spam appearing to come from my email address
I just fixed a problem like this. I checked my headers, and the email was spf approved from google. I had included google so I could get some mail forwarded by them back awhile ago, but it's not worth getting this spam. Someone has figured a way to use gmail to spam from their servers, looks like to me. spf=pass smtp.mailfrom=gmail.com; I removed google from my spf line, and it's helped. On 7/14/2023 4:06 PM, Thomas Cameron wrote: All - I am suddenly getting hammered by a BUNCH of spam that appears to be from me. It scores low, and even though I keep feeding it to Bayes, it's still not hitting the threshold to be marked as spam. When I check the headers, it's coming from multiple random email servers, but many appear to originate from hotmail/outlook.com. So from outlook.com, through some unsecured email server, then to my server. I'm trying to figure out how to block this stuff. Something like "if it appears to come from me, but it's not actually coming from my email server," block it. I don't necessarily think this is a job for SA, but if there's a rule I can tweak or a setting I can change, I'm all ears. Thanks, Thomas
Re: How is it that my X-Spam-Status is no, but my header gets marked with
Okay, here's another header.Shows X-Xpam-Status as no. In local.cf I changed to this, just to be sure. rewrite_header Subject [SPAM][JUNGLEVISION SPAM CHECK] Return-Path:me...@ecuador.junglevision.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ecuador.junglevision.com X-Spam-Level: * X-Spam-Status: No, score=1.5 required=3.5 tests=BAYES_50,HTML_MESSAGE, MIME_HTML_ONLY,MIME_QP_LONG_LINE autolearn=disabled version=3.3.2 Received: from ecuador.junglevision.com (localhost [127.0.0.1]) by ecuador.junglevision.com (8.14.7/8.14.7) with ESMTP id s9P2o1ZZ026032 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for megans...@junglevision.com; Fri, 24 Oct 2014 19:50:01 -0700 Received: (from megan@localhost) by ecuador.junglevision.com (8.14.7/8.14.7/Submit) id s9P2o1dN026031 for megans...@junglevision.com; Fri, 24 Oct 2014 19:50:01 -0700 Received: from outbound.audienceview.com (outbound.audienceview.com [65.110.162.244]) by ecuador.junglevision.com (8.14.7/8.14.7) with ESMTP id s9P2nvn2026026 for me...@junglevision.com; Fri, 24 Oct 2014 19:49:58 -0700 Received: from AVWEB98 ([127.0.0.1]) by outbound.audienceview.com with Microsoft SMTPSVC(7.5.7601.17514); Fri, 24 Oct 2014 19:49:57 -0700 From: tick...@shnsf.com To: me...@junglevision.com Subject: [SPAM][JUNGLEVISION SPAM CHECK] Confirmation of Order Number 684588 * Please Do Not Reply To This Email * Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=39c73e15-d5dd-4652-bd83-b7c65171173c Date: Fri, 24 Oct 2014 19:49:57 -0700 Message-ID: 1c09ad5feea4.tick...@shnsf.com X-OriginalArrivalTime: 25 Oct 2014 02:49:57.0206 (UTC) FILETIME=[5CA4A760:01CFEFFE] X-Spam-Prev-Subject: Confirmation of Order Number 684588 * Please Do Not Reply To This Email *
Re: How is it that my X-Spam-Status is no, but my header gets marked with
On 10/25/2014 9:29 PM, John Hardin wrote: On Sat, 25 Oct 2014, Cathryn Mataga wrote: Received: from ecuador.junglevision.com (localhost [127.0.0.1]) by ecuador.junglevision.com (8.14.7/8.14.7) with ESMTP id s9P2o1ZZ026032 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for megans...@junglevision.com; Fri, 24 Oct 2014 19:50:01 -0700 Received: (from megan@localhost) by ecuador.junglevision.com (8.14.7/8.14.7/Submit) id s9P2o1dN026031 for megans...@junglevision.com; Fri, 24 Oct 2014 19:50:01 -0700 Why is the message hitting ecuador.junglevision.com twice? Would this do it? Maybe it's just failing on the initial spam check and then .procmailrc meganspam checks again for some reason? [root@ecuador megan]# cat .procmailrc :0 * ^Subject:.*\[SPAM\]* !megans...@junglevision.com [root@ecuador etc]# pwd /etc [root@ecuador etc]# cat procmailrc DROPPRIVS=yes INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc Then I have. [root@ecuador spamassassin]# cat spamassassin-default.rc # send mail through spamassassin :0fw | /usr/bin/spamassassin Don't believe there's anything creative happening here, right? Am I missing something obvious?
Re: How is it that my X-Spam-Status is no, but my header gets marked with
On 10/20/14, 9:46 AM, jdebert wrote: On Mon, 20 Oct 2014 12:39:57 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 17.10.14 10:08, jdebert wrote: Will URIBL_BLOCKED cause [SPAM] to be inserted into Subject? no, it will more likely cause [SPAM] _not_ to be inserted, because it wouldn't be detected. Good. Had me worried a bit there. (^_^) Also, doesn't sa insert something else a bit different? Isn't it likely that someone else inserted that before the OP's server ever saw it? If SA inserts anything to Subject: and what it is, depends only on SA configuration. It's the rewrite_header configuration directive. Of course. I was thinking at the time that some other spam filter/tagger that used that by default might have done this. After posting, realised that the config would have to be changed for that. Forgot to ask if it was the case. I recall some cases in the past where spam filtering setups, such as those for antispam appliances did such things by default without adding any headers. I suspected this might be the case here. Too many possibilities, too little data. What I'll do then is change the inserted message to something else. Just to verify this. I did manage to get rid of the warning from the dnsdbl list. But I can pull this and try again too.
Re: How is it that my X-Spam-Status is no, but my header gets marked with
On 10/17/14, 4:13 AM, Martin Gregorie wrote: On Thu, 2014-10-16 at 22:37 -0700, Cathryn Mataga wrote: The score is only 1.9, 3.5 required. What's going on here? X-Spam-Status: No, score=1.9 required=3.5 tests=BAYES_50,DKIM_SIGNED, EMAIL_URI_PHISH,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,T_DKIM_INVALID, URIBL_BLOCKED autolearn=disabled version=3.3.2 URIBL_BLOCKED usually means that you've exceeded the daily free use limit on URIBL queries. What DNS server are you using? If its a public one belonging to your ISP or Google, that explains why the blacklists think you exceeded the free limit: they count queries per DNS server since that's what sends the queries to them. To avoid this you should be running a private, non-forwarding DNS server. I run DNS on my network. I think it should be caching, but maybe that's broken? The thing is, I've had this email at this domain name for over a decade now, no, maybe to the mid 90's? Maybe it's just that I get a HUGE amount of spam. It is a spectacular flow to watch it all go through here. I did disable the dns black whole servers seeing this. So maybe my first instinct on this was correct. We'll see if it gets better. Martin
Re: How is it that my X-Spam-Status is no, but my header gets marked with
On 10/17/14, 9:20 AM, Matus UHLAR - fantomas wrote: On 10/17/14, 4:13 AM, Martin Gregorie wrote: URIBL_BLOCKED usually means that you've exceeded the daily free use limit on URIBL queries. What DNS server are you using? If its a public one belonging to your ISP or Google, that explains why the blacklists think you exceeded the free limit: they count queries per DNS server since that's what sends the queries to them. To avoid this you should be running a private, non-forwarding DNS server. On 17.10.14 09:17, Cathryn Mataga wrote: I run DNS on my network. I think it should be caching, but maybe that's broken? the question is if it forwards requests to other DNS servers (probably your ISPs) or if you process thousands mails daily... I should check. I do well less than 100 legitimate emails a day, but I think I might be pulling in thousand(s)+ of spam.
Re: How is it that my X-Spam-Status is no, but my header gets marked with
??? Are you using imap to fetch your mail? Thanks guys. Yes I am using imap. What I have is a .procmailrc that forwards to meganspam. That's how this email got to meganspam. Is spamassasin is running twice? Once going to megan@ and then at meganspam@. What I did then is I fished the lost email out of 'meganspam' and and posted it here. [root@ecuador megan]# cat .procmailrc :0 * ^Subject:.*\[SPAM\]* !megans...@junglevision.com :0
How is it that my X-Spam-Status is no, but my header gets marked with
The score is only 1.9, 3.5 required. What's going on here? From me...@ecuador.junglevision.com Mon Oct 13 08:38:09 2014 Return-Path: me...@ecuador.junglevision.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ecuador.junglevision.com X-Spam-Level: * X-Spam-Status: No, score=1.9 required=3.5 tests=BAYES_50,DKIM_SIGNED, EMAIL_URI_PHISH,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,T_DKIM_INVALID, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from ecuador.junglevision.com (localhost [127.0.0.1]) by ecuador.junglevision.com (8.14.7/8.14.7) with ESMTP id s9DFc8B7015308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for megans...@junglevision.com; Mon, 13 Oct 2014 08:38:08 -0700 Received: (from megan@localhost) by ecuador.junglevision.com (8.14.7/8.14.7/Submit) id s9DFc8xV015307 for megans...@junglevision.com; Mon, 13 Oct 2014 08:38:08 -0700 Received: from egssmtp03.att.com (egssmtp03.att.com [144.160.128.152]) by ecuador.junglevision.com (8.14.7/8.14.7) with ESMTP id s9DFc5xN015302 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for me...@junglevision.com; Mon, 13 Oct 2014 08:38:06 -0700 Received: from uspedd06.edc.cingular.net (uspedd06.edc.cingular.net [135.214.228.40]) by egssmtp03.att.com ( egs 8.14.5 TLS/8.14.5) with ESMTP id s9DFc46P014887 for me...@junglevision.com; Mon, 13 Oct 2014 08:38:05 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=amcustomercare.att-mail.com; s=egs03; t=1413214685; bh=MI7iSFEx0e8sM2n1cEp/PA3RpmsCaSIBkzWhOYJfYAA=; h=Message-ID:Date:From:To:Subject:Mime-Version:Content-Type: Content-Transfer-Encoding; b=CYX9YX0nPomkMgc9QVja839EteJAXDIlKj0PGU7FS6Na0Bbe2MKs02M/tElklPs4H xkFLgTFYcep3bVF5BvPXbx4GTTTfG8t2SRph/JzCEMIkZUGCyjVnB+l507IiU/8qwZ D318VRDQoTPpXolVQMvP7EWBvn63ZKf49zG/Lh5JnhVqYYxcMyS5XVfJR9VRgt/Y+v lt4nkGSI0L+bf76ajwYTS6bERuSXRkwn7LsqYZkLRzBVbseQVK2oMFjV7pABS3Ru7d B2qDr9tjTuGnAhVrp8dloyU+fBVRc4jcj8Fas1FqgcoXoYFfIgqR2dQNkeKpYl+qRi GvEd3zXt9+ajw== Message-ID: 15150565.1413214684341.javamail.p7edd...@uspedd06.edc.cingular.net Date: Mon, 13 Oct 2014 10:38:04 -0500 (CDT) From: ATT Customer Care ica...@amcustomercare.att-mail.com To: me...@junglevision.com Subject: [SPAM] Your ATT wireless bill is ready to view Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 7bit ATT: OLAMBRN-284864694 X-Spam-Prev-Subject: Your ATT wireless bill is ready to view X-UID: 682695 Status: O Content-Length: 12557
use_auto_learn 0 but then autolearn=ham
My local.cf has this. bayes_file_mode 0666 use_bayes 1 use_auto_learn 0 skip_rbl_checks 0 rbl_timeout 3 score RCVD_IN_BL_SPAMCOP_NET 3 score RCVD_IN_URIBL_SBL 3 But then I see a spam that I keep training as spam over and over again, but then it keeps getting auto-learned as Ham. How do I turn off this auto_learn stuff once and for all? Return-Path: cath...@ecuador.junglevision.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ecuador.junglevision.com X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from ecuador.junglevision.com (localhost [127.0.0.1]) by ecuador.junglevision.com (8.14.5/8.14.5) with ESMTP id r4HD4xMW030941 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for cathrynm...@junglevision.com; Fri, 17 May 2013 06:04:59 -0700 Received: (from cathryn@localhost) by ecuador.junglevision.com (8.14.5/8.14.5/Submit) id r4HD4xKo030940 for cathrynm...@junglevision.com; Fri, 17 May 2013 06:04:59 -0700 Received: from smna.conservativecontacts.com (smna.conservativecontacts.com [69.25.192.206]) by ecuador.junglevision.com (8.14.5/8.14.5) with ESMTP id r4HD4gO7030924 for cath...@junglevision.com; Fri, 17 May 2013 06:04:42 -0700 Received: from smna.conservativecontacts.com ([69.25.192.205]) by smna.conservativecontacts.com (-); Fri, 17 May 2013 09:04:41 -0400 X-VirtualServer: VSG205206, smna.conservativecontacts.com, 69.25.192.206 X-VirtualServerGroup: VSG205206 X-MailingID: 16783856::14821::2300::9704::cath...@junglevision.com::20899 X-SMHeaderMap: mid=X-MailingID X-Destination-ID: cath...@junglevision.com X-SMFBL: Y2F0aHJ5bkBqdW5nbGV2aXNpb24uY29t DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=CCRKBAUpdate.org; s=nacusdkim; i=@CCRKBAUpdate.org; h=Content-Transfer-Encoding: Content-Type:Reply-To:MIME-Version:Message-ID:Subject:Date:To: From; bh=UHkgj9PMuzcs3Qkf+jgNAygH6+A=; b=KHlcTz+2lrAb3dNSS7Uwp+u wYtLe8SHLrmxBHhrU9BkGP+2voL9K97/RzHxhaqJAbeqcEJzQgiVicfuri13zfsq EzOB52R+PPYFN5mNUbNfOkbviiBsMf1+XpRAdgy+LsN/cZTO2+cn5WpSo7VuabqN 9c0Hz5/LFyAZaiMpUYr0= Content-Transfer-Encoding: 7bit Content-Type: multipart/alternative; boundary==_NextPart_947_E999_6EC9FB62.11D78100 Reply-To: patr...@ccrkbaupdate.org MIME-Version: 1.0 Message-ID: 16783856.20...@ccrkbaupdate.org Subject: =?UTF-8?Q?Stop=20Obama=27s=20Ammo=20Grab?= Date: Fri, 17 May 2013 09:04:39 -0400 To: cath...@junglevision.com From: =?UTF-8?Q?CCRKBA?= patr...@ccrkbaupdate.org
Re: How to report a spam botnet
On 11/20/2012 4:29 AM, Jason Ede wrote: However, ISP's blocking smtp ports for suspected spammers would help... Ideally they'd block all traffic on port 25 or 587 not sent through their SMTP engine which would do some basic spam checks... Easy enough to block #25 by default -- turn it on for anyone who asks. I think the idea of a botnet black hole list is great, really. Best if support could be integrated into routers, though maybe enough to start just to make a linux/unix program to do this to prove the concept. Would be handy for online forums where the bots are posting comment spam all the time. https://www.projecthoneypot.org/ I think this site, projecthoneypot is similar? Though maybe something that targets the bot nets specifically would be useful? I'm not sure. Really I'm just an end user here.
Re: Words with embedded symbols
Here's another version. This successfully recognises all four of your
examples and doesn't fire on any of my other spam test messages:
describe MG_TWOLETTER_OBFUSCATION Two letter obfuscation (X:X X :X))
header MG_TWOLETTER_OBFUSCATION
Subject =~ /[A-Z][:%~;^][A-Z]\s{0,1}[:%~;^][A-Z0-9]/
scoreMG_TWOLETTER_OBFUSCATION 5.0
This rather longer regexp was wrapping when pasted into this reply, so I
split the line at 'Subject' for clarity.
Martin
I looked over my old spam logs, and I'm finding hits from this rule.
All I did was add a few
extra characters that some spam were using. This is working good now.
Thanks.
Re: spam from venamail
On 11/8/2012 8:58 AM, Martin Gregorie wrote: On Thu, 2012-11-08 at 07:23 -0800, R - elists wrote: is anyone else getting spam from venamail.com servers ? No. Martin I just grepped a gigabyte collection of spam for venamail.com and found nothing.
Re: BAYES_99 score
On 10/24/2012 8:35 AM, Jari Fredriksson wrote: 24.10.2012 18:19, Ned Slider kirjoitti: I have had very good success running adjusted scores for BAYES rules, but I am very careful how I train my bayes database. I've disabled auto-learning and only manually train on hand-checked ham and spam examples. Consequently, I find the extremes (BAYES_99 and BAYES_00) to be highly reliable indicators. I have never seen false BAYES_99, but false BAYES_00 is not that rare. I'm not sure what's going on, but i cleared Bayes, and set use_auto_learn 0 and then relearned from HAM/Spam messages, and checking for yesterday, I got 12 spam, every single one had BAYES_00 set. I do get a vast amount of spam coming in here, so that 12 is down from several hundred spam that got marked correctly.
I think the bayes filter just goes bad if you ignore it
And that no amount of training will fix it once it goes bad. I was getting maybe 30-40 spams through every day and many of them marked BAYES_00 -- and the last month I've been carefully feeding the software spam and ham lists, all carefully checked, but so much of it just kept coming in. But last night I backed up bayes, reset it, and then retrained with my old spam and ham email collection, and difference is stunning. Many fewer spam are coming in.
Re: Words with embedded symbols
Thanks for the comments. I'll see if I can cook something up here. Someone asked to see the actual messages. I collected 4 of these messages and put them at this link. http://www.mataga.net/mataga/spam.txt
Words with embedded symbols
I'm getting a lot of SPAM with words written like this. These are pretty horrible, and I don't like getting them every day. A:N ;A %L P:O ~R %N ( P lCT U #RE / Is there a way to make a rule for strings of characters that would ignoring non-alpha characters embedded in the string?
X-Spam-Status: No, but still marked with [SPAM]
I'm getting these messages, some of them real emails, that get marked with [SPAM] even though X-Spam-Status: comes up as No. I updated to the latest build on Fedora though I think this has been going on awhile. It happens with some email accounts but not others. From me...@ecuador.junglevision.com Thu Sep 20 17:42:50 2012 Return-Path: me...@ecuador.junglevision.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ecuador.junglevision.com X-Spam-Level: X-Spam-Status: No, score=0.0 required=2.0 tests=FROM_MISSP_REPLYTO, FROM_MISSP_URI,TO_NO_BRKTS_FROM_MSSP autolearn=ham version=3.3.2 Received: from ecuador.junglevision.com (localhost [127.0.0.1]) by ecuador.junglevision.com (8.14.5/8.14.5) with ESMTP id q8L0go5j02679 for megans...@junglevision.com; Thu, 20 Sep 2012 17:42:50 -0700 Received: (from megan@localhost) by ecuador.junglevision.com (8.14.5/8.14.5/Submit) id q8L0goLd026789 for megans...@junglevision.com; Thu, 20 Sep 2012 17:42:50 -0700 Received: from server.cgskies.com (www.cgskies.com [85.17.169.165]) by ecuador.junglevision.com (8.14.5/8.14.5) with ESMTP id q8L0gmKk02678 for me...@junglevision.com; Thu, 20 Sep 2012 17:42:49 -0700 Received: from www.cgtextures.com (www.cgtextures.com [95.211.74.173]) by server.cgskies.com (8.14.4/8.14.4) with ESMTP id q8L0XDp8032570 for me...@junglevision.com; Fri, 21 Sep 2012 02:33:13 +0200 Received: by www.cgtextures.com (Postfix, from userid 101) id 81BF513200F0; Fri, 21 Sep 2012 03:55:56 +0200 (CEST) To: me...@junglevision.com Subject: [SPAM] Action Required to Activate Membership for CGTextures From: CGTextures supportsupp...@cgtextures.com To: me...@junglevision.com Reply-To: CGTextures supportsupp...@cgtextures.com Date: Fri, 21 Sep 2012 03:55:56 +0200 Message-Id: 20120921015556.81bf51320...@www.cgtextures.com X-Spam-Prev-Subject: Action Required to Activate Membership for CGTextures X-UID: 170756 Status: O X-Keywords: NonJunk
