[OT] Odd spammer tactic?
This is really not a SpamAssassin issue, but since this list is populated by people who are interested in spammer behavior, I'm throwing it out for comment. If it's too far off topic, my apologies and I'll let it go at that. At $DAYJOB I run a mail server and a name server for several domains, both our own and for clients. At home, I run a mail server and a name server for a couple of personal domains. The home name server is a slave for most of the domains hosted at $DAYJOB. The home mail server is _not_ configured to handle mail for any of the $DAYJOB domains and it is _not_ an MX for any of those domains. The only connection is that it is an NS for the $DAYJOB domains. These domains _do_ have $DAYJOB mail server as their MX. For a while now, I've been seeing attempts to send mail to the home server for addresses in $DAYJOB domains. This is not a problem since the volume is low and they are being properly rejected as third-party relay attempts (authentication required - relay not permitted). However, the fact that someone is apparently trying to send mail to an NS instead of an existing MX has piqued my curiosity. It looks like it's all spam (the sender addresses tend to support that). So, has anyone else seen this sort of behavior and what could be the rationale for trying to deliver mail to an NS like this? -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
Re: [OT] Odd spammer tactic?
On 07/21/08 13:04, [EMAIL PROTECTED] (mouss) wrote: Christopher Bort wrote: For a while now, I've been seeing attempts to send mail to the home server for addresses in $DAYJOB domains. This is not a problem since the volume is low and they are being properly rejected as third-party relay attempts (authentication required - relay not permitted). However, the fact that someone is apparently trying to send mail to an NS instead of an existing MX has piqued my curiosity. It looks like it's all spam (the sender addresses tend to support that). So, has anyone else seen this sort of behavior and what could be the rationale for trying to deliver mail to an NS like this? it's the same as port scans. they look for open relays. they don't care if the host is an MX, an NS, a www or anything. they just connect to the IP and try to relay. I've seen this on hosts that nobody should have known about. But they don't seem to be randomly looking for any open relay. If they were just looking for open relays, wouldn't you expect to see domains in the recipient addresses that have no connection whatsoever with the target machine? In all of the relay attempts I'm seeing on this mail server, the recipient addresses are in domains for which the server is an NS. I don't see any relay attempts where that is not true which implies, I think, that they do care that it's an NS. It seems like they're looking for hosts that will deliver|relay messages for specific domains, so why don't they just use the existing MX rather than trying an NS host with which there's no reasonable expectation that it will relay for the target domain? I suppose they could be looking for back doors, but that seems like it would be a very low probability undertaking. On the other hand, I also see attempts to connect to A hosts (thus ignoring MX definitions) and to old MXes. This is different as there is no relay attempt. The RFCs allow for A hosts to be tried in the absence of MX records, so there is some rationale for that, however weak it may be. -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
Re: [OT] Odd spammer tactic?
On 07/21/08 14:09, [EMAIL PROTECTED] (Bob Proulx) wrote: Christopher Bort wrote: In all of the relay attempts I'm seeing on this mail server, the recipient addresses are in domains for which the server is an NS. They are looking for any connection possible. A nameserver is an association. They will hope that perhaps it allows mail. Unlikely to the extreme but not inconceivable. I think, that they do care that it's an NS. It seems like they're looking for hosts that will deliver|relay messages for specific domains, so why don't they just use the existing MX rather than trying an NS host with which there's no reasonable expectation that it will relay for the target domain? You are trying to apply logic to a situation to which no reason can be applied. Spammers do not operate with a sanity of reason and logic. There is intelligence. But bludgeoning others for their own gain only makes sense to them and not to members of society. True enough. I suppose it's a good thing that I'm not entirely able to think like a spammer. ;-) I suppose they could be looking for back doors, but that seems like it would be a very low probability undertaking. Spammers base their existence upon extremely low probabilities multiplied by very large numbers of messages. True again. Your comments essentially reflect my own assessment, but I was curious enough about it to bring it up on a list like this one to see if I was missing some twist that would make an iota of sense, but I guess not. I'll let it go now. 8^) Even though there's no actual problem, it's still a low grade irritant to me that someone out there is stupid enough to bang their head against this wall. -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
VBounce FPs
Neither of the two messages at http://pastebin.com/m76e8b461 are bounce messages. They're both legitimate messages from the CommuniGate Pro mailing list, yet they both hit ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE. Comments? -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
Re: VBounce FPs
On 06/30/08 10:46, [EMAIL PROTECTED] (Matus UHLAR - fantomas) wrote: On 30.06.08 09:55, Christopher Bort wrote: Neither of the two messages at http://pastebin.com/m76e8b461 are bounce messages. They're both legitimate messages from the CommuniGate Pro mailing list, yet they both hit ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE. Comments? The From: is set to postmaster whcih is a generic catch-all. The envelope from may be set to the same: From [EMAIL PROTECTED] Mon Jun 30 06:45:22 2008 Return-Path: [EMAIL PROTECTED] Reply-To: CommuniGate Pro Discussions [EMAIL PROTECTED] Sender: CommuniGate Pro Discussions [EMAIL PROTECTED] To: CommuniGate Pro Discussions [EMAIL PROTECTED] From: Postmaster [EMAIL PROTECTED] ...all possible addresses but From are set to [EMAIL PROTECTED] and envelope from. This of needs fixing but I'd say the admin of the machine should allow CommuniGate Pro set proper envelope from address... Thanks for your response, Matus. I've passed it along to the CGate Pro list's admin address, for what it's worth. 8^) -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
Re: VBounce FP
On 05/19/08 03:53, [EMAIL PROTECTED] (Justin Mason) wrote: Christopher Bort writes: On 05/17/08 01:11, [EMAIL PROTECTED] (Justin Mason) wrote: Stefan Jakobs writes: On Friday 16 May 2008 20:45, Christopher Bort wrote: The message at http://pastebin.com/m42c297fd[1] hit ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE despite the host that sent it (mailgw02.wolfnettech.com) being listed in my whitelist_bounce_relays. What might I have (?:missed|not understood) about VBounce? Christopher -- what are your whitelist_bounce_relays, trusted_networks and internal_networks set to? whitelist_bounce_relays mail.homes-magazine.com whitelist_bounce_relays mailgw02.wolfnettech.com whitelist_bounce_relays levit.reacheach1.com whitelist_bounce_relays smtp*.blackberry.com whitelist_bounce_relays *.tcsn.net trusted_networks66.224.197.128/27 internal_networks 66.224.197.156 internal_networks 66.224.197.130 the sample doesn't fire those rules. I presume it's incomplete -- it seems to be missing hte bounced message part, which is key! Yes. As stated in my original message, pastebin blocked the complete message as spam, so I posted it without the bounced message part. Can you share a complete sample that displays the problem? Attached. -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/ Undelivered_Mail_Returned_to_Sender Description: Binary data
Re: VBounce FP
On 05/19/08 15:16, [EMAIL PROTECTED] (Justin Mason) wrote: Can you share a complete sample that displays the problem? Attached. Thanks -- it looks like a bug. I've opened https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5912 for it. Thank you, I look forward to its resolution. 8^) -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
Re: VBounce FP
On 05/17/08 01:11, [EMAIL PROTECTED] (Justin Mason) wrote: Stefan Jakobs writes: On Friday 16 May 2008 20:45, Christopher Bort wrote: The message at http://pastebin.com/m42c297fd[1] hit ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE despite the host that sent it (mailgw02.wolfnettech.com) being listed in my whitelist_bounce_relays. What might I have (?:missed|not understood) about VBounce? Christopher -- what are your whitelist_bounce_relays, trusted_networks and internal_networks set to? whitelist_bounce_relays mail.homes-magazine.com whitelist_bounce_relays mailgw02.wolfnettech.com whitelist_bounce_relays levit.reacheach1.com whitelist_bounce_relays smtp*.blackberry.com whitelist_bounce_relays *.tcsn.net trusted_networks66.224.197.128/27 internal_networks 66.224.197.156 internal_networks 66.224.197.130 -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
VBounce FP
The message at http://pastebin.com/m42c297fd[1] hit ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE despite the host that sent it (mailgw02.wolfnettech.com) being listed in my whitelist_bounce_relays. What might I have (?:missed|not understood) about VBounce? [1] The portion of the message that shows the original (bounced) message was blocked by pastebin as spam, so I've posted just the headers and body of the bounce message. -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
Re: No URIBL after upgrade to 3.2.4
On 02/04/08 16:33, [EMAIL PROTECTED] (Daryl C. W. O'Shea) wrote: Christopher Bort wrote: I have recently upgraded a SpamAssassin installation from 3.2.1 to 3.2.4. Since then URIBL hits have dropped to nearly zero, where before there were several hundred per day. Immediately after the upgrade, there were a handful of hits on URIBL_BLACK, but I have not seen any at all in the last few days. No configs have been changed with the upgrade, but sa_update is run nightly via cron. Run a message that you expect an URIBL hit on through spamassassin -D and look at the debug output to find out what is going on. Curious. A message that was run through SA by my mail server's helper without hits on any URIBL or RAZOR2 rules gets hits on multiple URIBL and RAZOR2 rules when fed to spamassassin -D manually. I will look into the possibility that the server's helper program is either misconfigured or is doing something wrong. Whatever it is doesn't seem terribly consistent at this point, though, because I continue to get plenty of RAZOR2 hits and a small handful of URIBL hits. At any rate, it warrants further investigation... Thank you for your help. -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
No URIBL after upgrade to 3.2.4
I have recently upgraded a SpamAssassin installation from 3.2.1 to 3.2.4. Since then URIBL hits have dropped to nearly zero, where before there were several hundred per day. Immediately after the upgrade, there were a handful of hits on URIBL_BLACK, but I have not seen any at all in the last few days. No configs have been changed with the upgrade, but sa_update is run nightly via cron. The upgrade was done with CPAN, after first making sure that all relevant Perl modules were up to date. Google doesn't show me anything about problems with URIBL and SA 3.2.4, so I'm inclined to think there's a problem with my particular installation. I'm getting hits on Razor rules, so other network checks are working, and I do have 'loadplugin Mail::SpamAssassin::Plugin::URIDNSBL' in my init.pre. I'm not sure where to look next and I'd be grateful to be pointed in the right direction.
