Re: copy spam mail to separate mailbox
Quoting Dan Schaefer d...@performanceadmin.com: As that's really a postfix question, not a SpamAssassin question, if you don't get an answer here you may want to try on a postfix mailing list. I know. Since everybody here is so great at answering my questions so far, I thought I'd try this list first. $ cat .procmailrc PMDIR=$HOME/Procmail # Make sure this directory exists! LOGFILE=$PMDIR/pmlog LOG= MAILDIR=$HOME/Mail # VERBOSE=yes :0 * ^Subject:.*\[SPAM\] $HOME/Mail/Spam/ # EOF This is about the simplest procmail recipe to do what you ask. there are many much more robust examples in the googlesphere, but maybe this gets you started. jp -- Simple compliance is a hacker's best friend @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: SORBS bites the dust
Quoting LuKreme krem...@kreme.com: On 25-Jun-2009, at 16:01, John Rudd wrote: People who complain that the PBL is blocking things that aren't spam kind of don't get the point of the PBL. The PBL's definition means that it will block non-spam. It should also block a lot of spam, but the fact that it will block ham is not an indictment of the PBL. It just means that people who complain about that fact don't understand the PBL. If only more people understood this. Thanks for the post John, you summarized it very well. If anyone ever whines about the PBL again, please repost. John Ruud's post needs to be in the faq. jp -- Simple compliance is a hacker's best friend @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: SORBS bites the dust
How long will this go before Godwin's law finally kicks in? Now I'm just watching for the fun of it . Quoting Res r...@ausics.net: On Thu, 25 Jun 2009, rich...@buzzhost.co.uk wrote: 1. It's 'You're' a joke - not 'your' a joke Ah the classic sign of someone in defeat, has to nit pick someones grammer 2. You could always try setting up your Mickey Mouse 'blocked using dnsbl.lan' restriction so it works properly LOL. Actually, you were first blocked by a milter because your SPF record contains junk get someone with a clue to set it up for you your internal bloack list blocks this mail servers IP anyway, so pot kettle black, tosser. 3. The day I give a shit about what an Australian spammer thinks of me, will be the day hell freezes over. oh im a spammer now am I, awww poor widdle wicky, go cry to mummy, or tell someone who gives a fuck. -- Res -Beware of programmers who carry screwdrivers -- Simple compliance is a hacker's best friend @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: Off Topic?
Have a look at Black hole DNS. http://www.malwaredomains.com jp Quoting Ray Jette [EMAIL PROTECTED]: Sorry if this is off topic. I am using a Microsoft DNS server. I am putting a big load on it with Mailscanner / Spamassassin and MTA RBL's. Would you recommend that I use a local BIND Cache server? Does anyone have any good resources as to how to set this up? I have installed bind9 and bind-utils. I changed /etc/resolve.conf to be the following: nameserver 127.0.0.1 When I did this the server was not able to resolve any names. Do I have to forward this name server to my Microsoft DNS server? Can it be configured to use the Root Hints? Sorry about being off topic. Thanks for the help. Ray -- Simple compliance is a hacker's best friend @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: Fw: Antigen Notification: Antigen found a message matching a filter
Quoting Lars Ebeling [EMAIL PROTECTED]: Got this after sending message earlier to this list. Could someone here explain it? The most apparent explanation would be that Antigen is being stupid. jp -- Simple compliance is a hacker's best friend @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: [OT] Odd spammer tactic?
Quoting Matus UHLAR - fantomas [EMAIL PROTECTED]: On 24.07.08 14:35, Michelle Konzack wrote: Are there ANY leagal reasons to declare someons MX as there MX? Yes, a mistake, or a false assumption by ISP's client. We have DNS server sharing relationships with some of our biz partners. It gives us control over the DNS without having to horse around with ISPs that never get it right. So we all get free backup DNS. In one case that I know of, a friend of mine outsourced his DNS to a hosting provider just too be rid of the headache. jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: [OT] Odd spammer tactic?
Quoting Marc Perkel [EMAIL PROTECTED]:
Ramprasad wrote:
I don't care what it's written in but I'm thinking that xinetd
might be easiest. What I want is something to record the IP
address of any host connection to port 25. Then going to need it
to run a one line script file that runc netcat (nc) and sends me
data. Basically I just need te IP address. I have a collector
program listening that feeds the blacklist system. The collector is.
Here is a little program I wrote a while back for just this purpose.
Change lines 58ff as you see fit for your purposes. I have modified
the listening port to 25 and put a plausible looking banner lines on it.
also I have attached an RC file to start it up. Let me know how it works out.
jp
--
Framework? I don't need no steenking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
porkrind.pl
Description: Perl program
#! /bin/sh
#
#
#
# Source function library.
if [ -f /etc/init.d/functions ] ; then
. /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
else
exit 0
fi
RETVAL=0
case $1 in
start)
echo -n 'Starting porkrind '
daemon /usr/local/sbin/porkrind.pl
RETVAL=$?
echo
[ $RETVAL -eq 0 ] touch /var/lock/subsys/porkrind || RETVAL=1
;;
stop)
echo -n Shutting down porkrind
killproc /usr/local/sbin/porkrind.pl
RETVAL=$?
[ $RETVAL -eq 0 ] rm -f /var/lock/subsys/porkrind
echo
;;
restart)
$0 stop
$0 start
;;
status)
echo -n Checking for porkrind
status /usr/local/sbin/porkrind.pl
;;
*)
echo Usage: $0 {start|stop|status}
exit 1
esac
exit $RETVAL
Re: blocking country domains.
Quoting raulbe [EMAIL PROTECTED]: Thanks i guess. ... sarcastic responses this question recieved. A simple this is not a good idea and here is why.. would of suffice but thanks again to those who were helpful. Think of it as hazing the new guy or good natured ribbing. especially from the german readers. You have to admit that asking a bunch of german users how to block the .de domain *is* a little funny. jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: netstat info-blacklist IP
Quoting Jean-Paul Natola [EMAIL PROTECTED]: I did trace it back to this IP enewsletter11.ruceci.com (enewsletter.ruceci.com) [208.74.102.200] which is a datacenter in KS: Arsalon Technologies LLC Send them a friendly/helpful note (include packet traces or mail logs) since we will politely assume they don't know about it already. Then shun the IP at the perimeter. Is it safe to blacklist the IP - if so I don't recall seeing info on blacklist IP's That's a matter of personal style. I shun ip addresses and block incoming SMTP connections quite agressively. Users don't seem to mind, it keeps the bad traffic down. In one week last month, perimeter blacklisting dropped 1.5 million incoming SMTP connections. I don't know what those people wanted to tell me, and I really don't care. Every address is there because of some identifiable bot-related network behavior. Some people thing shunning is bad. As we say in Nebraska, ... but you gotta do what works for you. By the way how can I get more data on why it timed out ? only if something show up in your mail logs or firewall logs. jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
Maybe try these:
describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
score SILLYLONGDOMAINURI 1.8
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8
jp
Quoting Bookworm [EMAIL PROTECTED]:
I'm starting to see some new phishing/scam attempts.
What I was thinking was that it might be worthwhile to add a rule to
not so much check links, but count periods. Here's the example that
just came in my email -
(removing http:// ) -
connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm
Notice that there are ten periods. That makes it be an eleventh
level domain name? :)
In general, you see fewer than four periods in a domain name - but
I've seen this sort of behavior in spams before. Thoughts?
(I'm just a general administrator. I use other people's rules, I
haven't had time to learn to make my own)
BW
--
Framework? I don't need no steenking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
OOpsie - typo:
body should have been uri in the second one.
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
uri SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8
jp
Quoting Jack Pepper [EMAIL PROTECTED]:
Maybe try these:
describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
score SILLYLONGDOMAINURI 1.8
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8
jp
Quoting Bookworm [EMAIL PROTECTED]:
I'm starting to see some new phishing/scam attempts.
What I was thinking was that it might be worthwhile to add a rule
to not so much check links, but count periods. Here's the example
that just came in my email -
(removing http:// ) -
connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm
Notice that there are ten periods. That makes it be an eleventh
level domain name? :)
In general, you see fewer than four periods in a domain name - but
I've seen this sort of behavior in spams before. Thoughts?
(I'm just a general administrator. I use other people's rules, I
haven't had time to learn to make my own)
BW
--
Framework? I don't need no steenking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
--
Framework? I don't need no steenking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
Quoting John Hardin [EMAIL PROTECTED]: Plus, you probably meant /^https? right you are, sir. thx -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
Quoting Karsten Bräckelmann [EMAIL PROTECTED]: describe SILLYDOTSDOMAINURI Includes a multiple dots domain name body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ Have you ever seen these? Would it work, does any MUA or browser silently collapse multiple dots? I saw one of these in a phishing email. I didn't know if it was supposed to be that way or not, but I was quite curious. Firefox tries to connect to http://www..google.com . (click it and see) Firefox will also try to connect to http://www.*.google.com . On the blackhole DNS discussion boards, there were users reporting seeing wildcard (*) DNS entries in phishing emails. Additionally, Yahoo and Flash both use wildcard DNS entries in their generated URLs. Is this SA evasion? So as I pondered it, it seemed plausible that a phisher could create a zero-length subdomain which would evade scanning by regex processors (like SA) because it would not parse out as a valid URL. But the browser will still try to connect. Is this SA evasion? Seems quite plausible. Next up: a SA rule to detect http://; followed by an invalid URL! jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: Need help with bobax rules
Quoting Jeremy Fairbrass [EMAIL PROTECTED]: HI Jack, Any chance of sharing your rules for this?! Cheers, Jeremy Sure: score BOBAX_GEN_SPAM_2 1.800 header BOBAX_GEN_SPAM_2 ALL =~ /^Message-Id:[EMAIL PROTECTED]/m describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2 score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id One fellow suggested that it might be more efficient to do this: score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM Message-ID =~ /EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id but I wasn't sure if SA would detect that the incorrect case on the word message-id and then not realize the test, etc. Any suggestions? jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Need help with bobax rules
This info popped up on the emerging-Threats list. I have watched our mail servers and have confirmed that it works. The problem is that my attempts to create Spamassin rules for it never fire off. Can I get some tutelage from the list on creating rules for these unique conditions: Message IDs randomized, but always the same length per field, and uses Message-Id instead of Message-ID: Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Intel from Joe Stewart at Secureworks. Message-Id capitalized incorrectly, and EJXVWDA appears in the middle of the random prefix: Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Intel from Joe Stewart at Secureworks. First group increments over time. Last group is the IP in hex backwards. Like so: Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Thanks again to Joe Stewart for the intel! Any thing that hits is generated by bobax/kraken/oderoor and can be dropped. jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: Need help with bobax rules
I guess I don't need those rules. I see now that INVALID_MSGID was already catching them. apologies for the noise on the list. jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: Need help with bobax rules
Quoting Justin Mason [EMAIL PROTECTED]: Jack Pepper writes: I guess I don't need those rules. I see now that INVALID_MSGID was already catching them. apologies for the noise on the list. I found my problem in the faq. I was missing the m on the end ogf the regex: score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id getting hits on it now. nice. -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
