Re: SPAM from a registrar
that’s nice, but useless unless you also take into account the size of the registrar, IOW the number of domains they registered in the same period. Neil Schwartzman Executive Director Coalition Against Unsolicited Commercial Email http://cauce.org Tel : (303) 800-6345 Twitter : @cauce On May 23, 2014, at 12:22 PM, James B. Byrne byrn...@harte-lyne.ca wrote: While the number of messages getting through has dropped off to near zero this morning I nonetheless took the time to look into registrars with respect to SPAM and found this interesting web site: http://rss.uribl.com/nic/ As of this morning the top domain registrars with respect to spam origin are these: Top 100 Registrars with Blacklisted Domains for last 5 days Rank Registrar Listed Active Percent 1 ENOM, INC. 3335740345.05% 2 GO DADDY SOFTWARE, INC. 132612718 10.43% 3 GMO INTERNET, INC. D/B/A ONAMAE.COM AND DISCOUNT-DOMAIN.COM 1080169263.83% 4 REGRU-REG-RIPN 592 151539.08% 5 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM 456 166027.47% 6 OVH 321 171018.77% 7 MONIKER ONLINE SERVICES, INC. 233 488 47.75% . . . If I read this correctly then one out of every two recently active Enom registered domains is engaged in SPAM activities. What I cannot tell is whether the total number of active domains refers to recent registrations (5 days old) or number of domains registered with Enom that have evidenced some Internet activity as measured by some indeterminate means. I also note that the 'Privacy' service for the spam site owner contact registered at Enom is Moniker. Who also has a one out of two ratio of spam domains to total active domains. If this information is accurate then it seems to me on the basis of the evidence that it is entirely reasonable to block email from domains registered with either Enom or Moniker; and GMO Internet looks like a good candidate as well. Comments? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Some changes at the AHBL
Begin forwarded message: From: Brielle Bruns br...@2mbit.com Subject: [SDLU List] Some changes at the AHBL Date: March 26, 2014 at 11:59:13 AM EDT Hey All, So, this has been a long time coming, but figured I'd make the announcement. I'm winding down the public DNSbl services of the AHBL. This means the dnsbl.ahbl.org, ircbl.ahbl.org, rhsbl.ahbl.org lists are all going away, as is the public lookup/removal tool. There's a few reasons why this is coming about - one of them being that I feel that I've accomplished what I set out to do with the AHBL. We had an 11 year run - quite good IMHO. We've been sued (and won), DDoS'd, Real Life(tm) stalked, had other people in this community turn their backs on us because we made some hard decisions they didn't agree with... List could go on for a while. =-=-=-= I expect that over the next few days (Sat. at the latest) I'll be clearing out the three main zones of data, and removing their NS records shortly after. I'm planning Jan 1st, 2015 to wildcard the DNSbl zones for anyone that doesn't bother to maintain their mail services. The website isn't going anywhere, neither is any of our docs and things like the kook mail. We do have some private services that will keep running - and I'm likely going to be offering invitations to our private DNSbl list at some point in the near future. There is a good chance that I'll be reopening the RHSbl under a new name down the line as well. Anyways, hit me up on-list or off-list if you have any questions or comments. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org __ List Guidelines: http://www.new-spam-l.com/admin/faq.html List Information: https://spammers.dontlike.us/mailman/listinfo/list (C) Copyright - The Author This List. No part of this document may be used or reproduced in any manner whatsoever without prior written permission.
Re: bit.ly and Spamhaus DBL
On Mar 5, 2014, at 10:40 PM, Neil Schwartzman n...@cauce.org wrote: Yeah. An abused, and abusive redirector. They only deal with abuse Monday-Friday, 9:00-17:00.* They never break links, but put an interstitial in between the victim and the payload. Gee thanks. BTW spamhaus aren’t the only ones fed up with Bit.ly’s laconic attitude towards abuse. The URL you recently submitted has been accepted as a phishing site by Netcraft. URL: https://bit . ly/OZVosY
Re: Who wants to trade data?
On Feb 7, 2014, at 6:08 AM, Benny Pedersen m...@junc.eu wrote: On 2014-02-07 01:33, Noel Butler wrote: else we'd have seen a url in one of his posts advertising it, therefore can be considered UCE agree if its free to download its not spam, i just think its the grey zone here Sorry, no. The cost of a payload isn’t relevant to the determination is something is spam. Spam is unsolicited and (generally) bulk. I am offered ‘free’ subscriptions to things all the time, by spam. That said, i think someone offering anti-spam data to an anti-spam list is *collegial*, not spam, and the fact that it is free is even more collegial.
Re: Detecting very recently registered domain names
On Jan 6, 2014, at 8:45 AM, hospice admin hospice...@outlook.com wrote: ... its not like NOMINET give a darn about spam, is it?? Nominet are arguably one of the few registrars that very much do care about spam, AFAIK. I know several staffers and former staffers who job it was to deal with messaging and other types of abuse among registrants. Neil Schwartzman Executive Director Coalition Against Unsolicited Commercial Email http://cauce.org Tel : (303) 800-6345 Twitter : @cauce
Re: Detecting very recently registered domain names
On Jan 6, 2014, at 8:45 AM, hospice admin hospice...@outlook.com wrote: ... its not like NOMINET give a darn about spam, is it?? Nominet are arguably one of the few registrars that very much do care about spam, AFAIK. I know several staffers and former staffers who job it was to deal with messaging and other types of abuse among registrants. Neil Schwartzman Executive Director Coalition Against Unsolicited Commercial Email http://cauce.org Tel : (303) 800-6345 Twitter : @cauce
Re: Offtopic: SpamCop refuses to receive reports
they will suspend your account if you have bounced confirmation mail, or submitted poorly. I’d ask deput...@spamcop.net On Nov 12, 2013, at 10:02 AM, Jari Fredriksson ja...@iki.fi wrote: Nov 12 19:52:14 wellington report[1601]: reporter: SpamCop report to vmx.spamcop.net failed: 550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. Nov 12 19:52:14 wellington report[1601]: reporter: could not report spam to SpamCop Has something changed in their policy or what has happened? Any ideas? -- jarif.bit Neil Schwartzman Executive Director Coalition Against unsolicited Commercial Email Tel :(303) 800-6345 Mob: (415) 361-0069 @cauce
Re: Wishing You Happy New Year !
On Nov 2, 2013, at 5:11 AM, sonidha...@gmail.com wrote: Greetings card Link: http://www.youtube.com/watch?v=zXj3CGGXJGc I hope that in this year to come, you make mistakes. you certainly seem to have started the year out well. harismruti. com is the payload mentioned in the youtube video Neil Schwartzman Executive Director Coalition Against unsolicited Commercial Email Tel :(303) 800-6345 Mob: (415) 361-0069 @cauce
Re: How to get removed from spamcop?
you have to sign up for that service, and depending upon how your network is set up, you may not be able to receive such reports. I suggest people take a look at all the FBLs at http://blog.wordtothewise.com/tag/fbls/ as well Neil Schwartzman Executive Director Coalition Against unsolicited Commercial Email Tel :(303) 800-6345 Mob: (415) 361-0069 @cauce On Oct 29, 2013, at 5:18 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 28.10.13 14:06, Marc Perkel wrote: Just wondering if any real people are there or if it's totally automated. They have several of our IP addresses listed and delisting doesn't seem to work. We're a spam filtering company (Junk Email Filter) and if we fail to block a spam it can appear we are the source. Aren't they sending you notifications about spam they got from you? They don't do it only for spam sent to their spam traps, but even in such cases they might provide you filtered headers
Re: How to get removed from spamcop?
On Oct 29, 2013, at 9:19 AM, Benny Pedersen m...@junc.eu wrote: Marc Perkel skrev den 2013-10-28 22:06: Just wondering if any real people are there or if it's totally automated. They have several of our IP addresses listed and delisting doesn't seem to work. We're a spam filtering company (Junk Email Filter) and if we fail to block a spam it can appear we are the source. and ?, do you see your own logs who use spamcop.com as rbl ? http://www.mywot.com/en/scorecard/spamcop.com users of wot dont trust them well no, especially since the correct address is spamcop.NET https://www.mywot.com/en/scorecard/spamcop.NET
Re: Outbound filtering (was Re: How to get removed from spamcop?)
On Oct 29, 2013, at 9:31 AM, David F. Skoll d...@roaringpenguin.com wrote: On Mon, 28 Oct 2013 21:42:29 -0400 (EDT) John R. Levine jo...@iecc.com wrote: But outbound filtering is far more useful when it, you know, actually works. Outbound filtering is far trickier than inbound filtering. Unless you really want to annoy your customers, you have to hold suspect mail (anything scoring let's say 5.0 to 8.0 or so on SpamAssassin's scale) for review rather than rejecting outright. Once you start having more than a few thousand outbound users, you end up spending a lot of time reviewing suspect mail. We take another approach and apply per-sender rate-limits. If a given sender or IP sends to more than X recipients in a given window of time, we hold all mail from that sender/IP and alert. This has enabled us to catch and shut down several phished accounts over the last few months. Rate-limiting also helps if a phished account is used to blast out large quantities of spam that nevertheless are not detected as spam by content filtering. Given my experience working as the guy charged with outbound spam at a mjaor freemail provider, i can say this : the difficulty with a rate-limiting approach is the criminals reverse-engineer it pretty quickly, and just spread the joy over numerous accounts. generally speaking, they pretty much trickle spam out over ATOed accounts instead of doing it all in one fell (foul?) swoop. But yeah, i think John underestimates how difficult it is to do outbound filtering for more than a few dozen users who expect their mail to be delivered immediately, for some value of immediately. Emailin’ ain’t easy.
Re: How to get removed from spamcop?
or wait 24 hours for the listing to expire. that said deput...@spamcop.net works just fine. Neil Schwartzman Executive Director Coalition Against unsolicited Commercial Email Tel :(303) 800-6345 Mob: (415) 361-0069 @cauce On Oct 28, 2013, at 3:08 PM, John Levine jo...@taugh.com wrote: Just wondering if any real people are there or if it's totally automated. I've never had any trouble getting replies to polite inquiries. They have several of our IP addresses listed and delisting doesn't seem to work. We're a spam filtering company (Junk Email Filter) and if we fail to block a spam it can appear we are the source. Uh, Marc, if the spam comes out of your servers, you ARE the source. Nobody but you cares about your business model. R's, John
Re: Strange URIBL_SBL false positive?
On Oct 17, 2013, at 6:49 AM, Tom Hendrikx t...@whyscream.net wrote: Basicly the description Contains an URL listed in the SBL blocklist [URIs: example.com] is false, incorrect, not false, which implies maliciousness. I believe Spamhaus only recently, for some value of recently, started doing NS listings with deeper dives that show up on an SBL listing. I personally feel it is a good thing, since the result is a positive one, but yes, the annotation in SA should be adjusted to indicate this aspect of the DNSBLs listings. On Oct 17, 2013, at 5:00 AM, Tom Hendrikx t...@whyscream.net wrote: We had this too for one of our customers. Your problem is that one of the nameservers of the domain is listed: http://www.spamhaus.org/query/ip/151.1.141.150 I'm not really sure whether it's a feature or a bug that the rule/plugin goes that deep while searching for possible wrongdoing ip addresses...
Re: one word spam (continued)
List verification. Many receiving sites will block after X bounces, clean up your list from 550s, and spam the real thing from another botted IP. Neil Schwartzman Executive Director Coalition Against unsolicited Commercial Email Tel :(303) 800-6345 Mob: (415) 361-0069 @cauce On Oct 16, 2013, at 8:41 AM, Ted Mittelstaedt t...@ipinc.net wrote: Dumb question here perhaps - how exactly would sending a single word to a victim help a spammer? Why would they do it? Ted On 10/16/2013 8:33 AM, Martin Gregorie wrote: On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote: Hi everyone If I use digest mode how do I reply to a specific mail? In reply to axb... about one word spam http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser here is the sample http://pastebin.com/download.php?i=0D7tfsjf Can you help with some regex pls? Not one work is it? However, this catches it: /\s{0,80}\S{1,20}\s{0,80}/ Be aware that messages like your example are quite common between friends, so I personally would be wary of using this type of regex outside a meta-rule. Martin Tks
Re: Is EndOfSpam a known scam?
On Sep 2, 2013, at 9:26 AM, Marcus Loxx marcus.loxx.4...@gmail.com wrote: Hello. My name is Marcus Loxx. First, please let me know if this is the correct way to post a question. Second, the question is more about spam filtering in general than SpamAssassin, but I couldn't think of a better place to post it. If the Users list is not a good place to post this question, I would greatly appreciate an appropriate recommendation. Pretty much there is some software called EndOfSpam made by someone called Desmond Fox and I want to know if the software isn't malicious. The web address is https://sites.google.com/site/desmondfoxendofspam/home I send and get a lot of email, and I found it when I got a reply email from someone I had never emailed before. I tried looking for more information on it, but other than the address above, which I only found in the reply email I got, there doesn't seem to be anything about it anywhere. I know you can't tell me if it is safe or not because we live in such a litigious society, but do you know if this is a known scam or something? Hello. My pseudonym is Desmond Fox, and welcome to the EndOfSpam web page. This is an old, but as far as I can tell, never implemented idea for getting rid of spam emails. The idea is to charge emailers to send the emailee an email. The details are a little bit more complicated than that, but not much (explained below). If I were able to charge mailers I'd be a very wealthy man, depending upon the exchange rate with the ruble. forget it. this idea has been stinking up the hallways for a very long time. no, it won't work, because no-one will pay. If you need a reference, ask Bill Gates how 'penny black' worked ten years ago.
Re: Catching fake LinkedIn invites
On Aug 29, 2013, at 4:40 AM, RW rwmailli...@googlemail.com wrote: On Thu, 29 Aug 2013 00:55:29 +0200 Michael Schaap wrote: On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? The From: header is at linkedin dot com, but the envelope sender is a random address I'm guessing that legitimate linkedin mail has something other than a random address in its envelope sender. no need to guess Received: by 10.217.45.68 with SMTP id a46csp19989wew; Wed, 28 Aug 2013 13:57:59 -0700 (PDT) Received: from leila.iecc.com (leila6.iecc.com. [2001:470:1f07:1126:0:4c:6569:6c61]) by mx.google.com with ESMTPS id x3si106237qas.146.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 28 Aug 2013 13:57:58 -0700 (PDT) Received: (qmail 12685 invoked by uid 1014); 28 Aug 2013 20:57:57 - Received: (qmail 12680 invoked from network); 28 Aug 2013 20:57:57 - Received: from mailc-fa.linkedin.com (mailc-fa.linkedin.com [199.101.162.77]) by smtp.abuse.net ([64.57.183.109]) with ESMTP via TCP port 34167/25 id 539419450; 28 Aug 2013 20:57:53 - X-Received: by 10.229.179.137 with SMTP id bq9mr10582950qcb.11.1377723478996; Wed, 28 Aug 2013 13:57:58 -0700 (PDT) Return-Path: m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com Received-Spf: softfail (google.com: domain of transitioning m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) client-ip=2001:470:1f07:1126:0:4c:6569:6c61; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) smtp.mail=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com; dkim=pass header.i=@linkedin.com; dmarc=pass (p=REJECT dis=NONE) d=linkedin.com Authentication-Results: iecc.com; spf=pass spf.mailfrom=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com spf.helo=mailc-fa.linkedin.com; dkim=pass header.d=linkedin.com header.b=yTQxEigD; dmarc=pass header.from=linkedin.com policy=reject X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on leila.iecc.com X-Spam-Level: X-Spam-Status: No, score=-12.6 required=4.4 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_SAFE,RP_MATCHES_RCVD autolearn=unavailable version=3.3.2 Domainkey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl; b=LeVz8j1vCA5eInVlQoy1R2cc1m/KJfCNOIy5A2oT9InYxvEtsqqPICJbTROiCnxV XhZhEtvh/z/E9qxYnqjrs8jsPNaiPoS3k/2giZoCAviri4PtQUa0ItD2SpYN3iUh Dkim-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; c=relaxed/relaxed; q=dns/txt; i=@linkedin.com; t=1377723459; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=M1AJY3ogQKLz5Vc1bK3tB2dbd58=; b=yTQxEigDySwE9gynJ5UlILn2G6myZ9XiHShT5BhUjukBwllSRqgBaf/7BAiDD4Ku 7OPkXtp14RZzykua0KXcIayOc+xpL2EriMQVX5mDkjbriBF5sFGK1kk+WqnGIIjk HRgzzsg2CDIY34jlet+qfM9+BiEEs3WYi+q5hmun0m0=; Sender: messages-nore...@bounce.linkedin.com Message-Id: 1271127196.48543013.1377723459176.javamail@ela4-app2520.prod Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_48543007_1435785298.1377723459174 X-Linkedin-Template: anet_digest_type X-Linkedin-Class: GROUPDIGEST X-Linkedin-Fbl: m-pNHvq1bOcYM0uxG7j38mb1bv9RRMgop7tfdwzEyGlxBMrDufU1n X-Dcc-Iecc-Metrics: leila.iecc.com 1107; Body=1 Fuz1=1 Fuz2=1
Re: Big problems with senders who use Microsoft Bigfish (a.k.a. FrontBridge)
Alternatively, I pulled fire alarms at Microsoft and it is very possible people at Spamhaus also spent reacting to your email because of the erroneous information posted. So while John may have been slightly impolitic,and fairly rude, he isn't wrong, and it isn't about ego (in this case). I cannot comment as to his current state of crust, will advise. On Aug 16, 2013, at 7:06 AM, Nigel Smith gb10hkzo-...@yahoo.co.uk wrote: In the future, if you're not prepared to show the actual problem with their actual data, please don't waste our time. You know that's the sort of thing I hate about the Open Source community, the big ego trips by the crusty old dudes who've been around forever and enjoy giving the relative newbies a hard time. I lost count of how many times I apologised to the list for not making it clear in my original post. Everyone else seemed to accept that apology, but obviously you're one of those hard-core mailing list guys who would rather see me sent to the gallows for what was a pretty minor error in the grand scheme of things.
Re: DHL From Russia
On Aug 9, 2013, at 6:16 AM, Thomas Harold thomas-li...@nybeta.com wrote: We see a few of these each week, not sure if they are from Russia: http://pastebin.com/iBmELtSh Not really that difficult to block. 31.24.139.73 Senderscore of '3'(out of 100) https://senderscore.org/lookup.php?lookup=31.24.139.73ipLookup=Go Email Reputation Poor http://www.senderbase.org/lookup?search_string=31.24.139.73
Re: Blocking new spam wave
On Jul 19, 2013, at 10:35 PM, Andrea m...@vp44.net wrote: Hi all. Since a few days ago I'm being buried under spam messages that slip through my amavis/SA setup. The messages all look alike: plaintext with random junk + URL in the body. Pastebin with a few examples here: http://g2z.me/ed64d I've tried running a sa-update but I don't have enough samples (yet). The thing that bothers me is that all the messages have been classified as HAM by the auto learn (which I have now disabled). What could be an effective rule/ruleset to block emails like this? The emitting IPs appear to be on some fairly prominent blacklists : 65.20.0.50 http://multirbl.valli.org/lookup/65.20.0.50.html Blacklisted: 10 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0 210.188.175.148 http://multirbl.valli.org/lookup/210.188.175.148.html Blacklisted: 14 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0 217.16.6.131 http://multirbl.valli.org/lookup/217.16.6.131.html Blacklisted: 17 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0 The problem, or at least part of it, is that the payloads are all redirects via compromised legitimate sites on hosting companies http://prembhatiatrust . com/public-sex.html?cuzahetysu http://auto-atendimentos . info/algerie.html?japu http://chapcanhuocmo . vn./springbreak.html prembhatiatrust. com | Creation Date: 23-apr-2002 | 74.208.211.99 auto-atendimentos. info | Created On:30-Mar-2013 11:25:09 UTC | 173.192.200.207 chapcanhuocmo. vn | Ngày đăng ký: 04-04-2011 | 222.255.29.22 for those who care, the ultimate payloads are: mega-hot-sites . com hot-hot-sites . com lovely-sites . com all sitting on 213.183.59.30 (anders. ru) which has a couple NS SBLed, which cover all of the payloads (1): ns1.eliteadultsites. com213.183.59.30 SBL ns2.eliteadultsites. com213.183.59.30 SBL Passive DNS for 213.183.59.30_32 Records found: 31 (moved 404 elided) lovely-sites. com 213.183.59.30 www.lovely-sites. com 213.183.59.30 pretty-sites. com 213.183.59.30 www.pretty-sites. com 213.183.59.30 mail.pretty-sites. com 213.183.59.30 hot-hot-sites. com 213.183.59.30 www.hot-hot-sites. com 213.183.59.30 fineadultvideo. com 213.183.59.30 www.fineadultvideo. com 213.183.59.30 mega-hot-sites. com 213.183.59.30 www.mega-hot-sites. com 213.183.59.30 mail.mega-hot-sites. com213.183.59.30 cool-cool-sites. com213.183.59.30 eliteadultsites. com213.183.59.30 ns1.eliteadultsites. com213.183.59.30 ns2.eliteadultsites. com213.183.59.30 www.eliteadultsites. com213.183.59.30 mail.eliteadultsites. com 213.183.59.30 right-adult-sites. com 213.183.59.30 www.right-adult-sites. com 213.183.59.30 top-quality-sites. com 213.183.59.30 www.top-quality-sites. com 213.183.59.30 (1) Domain Name: COOL-COOL-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 16-nov-2012 Expiration Date: 16-nov-2013 Domain Name: ELITEADULTSITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 16-oct-2012 Expiration Date: 16-oct-2013 Domain Name: FINEADULTVIDEO . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 05-oct-2012 Expiration Date: 05-oct-2013 Domain Name: HOT-HOT-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited
Re: spamcop spamassassin reporting
On Jul 20, 2013, at 12:16 AM, AndreaS Schamanek scham...@fam.tuwien.ac.at wrote: Giles Coochey wrote: Is there a current issue with reporting to spamcop? I had problems, too. Though, in my case I just got a warning message on the Spamcop web interface saying that messages sent to me were bouncing with 5.1.0 - Unknown address error which was very probably due to problems on Spamcop's side. I don't know more, though. On Jul 20, 2013, at 5:17 AM, SpamCop Admin serv...@spamcop.net wrote: We were running a parallel process that caused false bounces.
Re: PayPal spam filter?
On Jun 12, 2013, at 3:37 PM, Daniel McDonald dan.mcdon...@austinenergy.com wrote: I believe Paypal is DKIM signed, Sure is. Also DMARCed and SPFed too. ;; QUESTION SECTION: ;paypal.com.IN TXT ;; ANSWER SECTION: paypal.com. 7 IN TXT v=spf1 include:pp._spf.paypal.com include:3rdparty._spf.paypal.com include:3rdparty1._spf.paypal.com include:3rdparty2._spf.paypal.com include:c._spf.ebay.com ~all ; DiG 9.8.3-P1 _adsp._domainkey.paypal.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2530 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_adsp._domainkey.paypal.com. IN A ;; AUTHORITY SECTION: paypal.com. 60 IN SOA ppns1.phx.paypal.com. hostmaster.paypal.com. 2010186301 7200 900 86400 60 ;; Query time: 35 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jun 13 15:05:47 2013 ;; MSG SIZE rcvd: 102 localhost:durbl spamfighter$ dig _domainkey.paypal.com ; DiG 9.8.3-P1 _domainkey.paypal.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1064 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_domainkey.paypal.com. IN A ;; AUTHORITY SECTION: paypal.com. 60 IN SOA ppns1.phx.paypal.com. hostmaster.paypal.com. 2010186301 7200 900 86400 60 ;; Query time: 35 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jun 13 15:06:27 2013 ;; MSG SIZE rcvd: 96 smime.p7s Description: S/MIME cryptographic signature
Re: Massive spamruns
Uhm. perhaps some snippets from the maillogs, or examples? On Jun 12, 2013, at 5:59 AM, polloxx poll...@gmail.com wrote: Dear list, We see massive spamruns since begin june. Are other people also similar runs? They fill our maillog. Fortunately most is blocked. smime.p7s Description: S/MIME cryptographic signature
Re: Interesting Spam Trap Idea - Fake Authentication
On Jun 10, 2013, at 9:30 PM, Dave Warren da...@hireahit.com wrote: I doubt it's a guy, but it wouldn't surprise me if the botnet that performs the dictionary attack forwards the results off to a guy to confirm that the account works. no, really, it's a bot. They have tens of millions of compromised accounts, that they burn through on an hourly basis. There's no need to check anything, they just 'do' and what doesn't work doesn't cost them money, they move on to the next unit, and try again. i've no end of examples of stuff from live spam where the payload or redirect is broken due to take-down, I can't imagine they didn't check those, too. By bot. smime.p7s Description: S/MIME cryptographic signature
Re: .pw / Palau URL domains in spam
On May 5, 2013, at 7:04 PM, John Hardin jhar...@impsec.org wrote: On Sun, 5 May 2013, Benny Pedersen wrote: John Hardin skrev den 2013-05-05 22:44: abuse-alert on any domain is not rfc compliant Agreed. Disagreed. So long as abuse@ is working, the domain is compliant with RFCs. There is nothing wrong with having an alternate address, particularly since abuse@ tends to garner a ton of spam. Neil Schwartzman Executive Director CAUCE - the Coalition Against Unsolicited Commercial Email Mob: (415) 361-0069 Skype: spamfighter666 SkypeIn: (303) 800-6345 Web: http://cauce.org Twitter: @cauce
Re: .pw / Palau URL domains in spam
heh, i don't think 'don't ignore' is part of the RFC, but yeah. On May 6, 2013, at 9:08 AM, John Hardin jhar...@impsec.org wrote: If there is a working abuse@ address that *isn't being ignored*, they're compliant.
Re: .pw / Palau URL domains in spam
On May 6, 2013, at 10:39 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On May 6, 2013, at 9:08 AM, John Hardin jhar...@impsec.org wrote: If there is a working abuse@ address that *isn't being ignored*, they're compliant. On 06.05.13 09:55, Neil Schwartzman wrote: heh, i don't think 'don't ignore' is part of the RFC, but yeah. well, if it clearly is not working, it's not compliant. if it's visibly ignored, trashed, dropped, it violates the RFC At risk of being pedantic, but this is, after all an RFC discussion, where do you see that in 2142? So long as someone receives a report, there is no specification against ignoring it, visibly or not. http://www.ietf.org/rfc/rfc2142.txt The purpose of this memo is to aggregate and specify the basic set of mailbox names which organizations need to support. Most organizations do not need to support the full set of mailbox names defined here, since not every organization will implement the all of the associated services. However, if a given service is offerred, (sic) then the associated mailbox name(es) must be supported, resulting in delivery to a recipient appropriate for the referenced service or role.
Re: NJABL is dead?
That would not be correct. NJABL is alive and kicking, and not all of their zones are replicated at Spamhaus. The XBL provides more than 'just' CBL + NJABL, BTW. -- Neil Schwartzman Senior Director, Security Strategy Email Intelligence Group Return Path Inc. +1 (303) 999-3217 AIM: returnpathcanuk http://www.returnpath.net/blog/received/ On 12/26/10 12:15 PM, Shawn Ort s...@infoquest.com wrote: Spamhaus's XBL incorporates the CBL anfd NJABL. The return code is what you would get from querying the XBL if the IP is on the NJABL. If there are problems with the NJABL, spamhaus might have some answers. If it's dead/useless it makes sense to me to not query it. From: Benny Pedersen [...@junc.org] Sent: Saturday, December 25, 2010 10:40 PM To: users@spamassassin.apache.org Subject: Re: NJABL is dead? On søn 26 dec 2010 04:09:00 CET, Warren Togami Jr. wrote For now I'm proposing only disabling NJABL in sa-update, since it is currently useless and not worth the extra network query. http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage for me it seems moved there ? zen 127.0.0.5
Re: NJABL is dead?
Yeah sorry, I was confused by the subject line which mislead me to think the point was about whether or not NJABL is still a functioning DNSBL. Silly me. -- Neil Schwartzman Senior Director, Security Strategy Email Intelligence Group Return Path Inc. +1 (303) 999-3217 AIM: returnpathcanuk http://www.returnpath.net/blog/received/ From: Warren Togami Jr. wtog...@gmail.com Date: Tue, 28 Dec 2010 13:14:45 -0700 To: Neil Schwartzman neil.schwartz...@returnpath.net, SA Users users@spamassassin.apache.org Subject: Re: NJABL is dead? Folks here are missing the point, that NJABL is catching not much of anything, like less than 1% of spam, and with a relatively high FP ratio. I don't understand this desire to keep such a poor performing rule, especially when it costs a network query. Warren
Phishing Attack: An Open Letter to the Anti-Spam and Mailbox Operator Community By Matt Blumberg CEO Chairman, Return Path
I’m sure many of you are familiar with the targeted ESP phishing attack that has been ongoing for almost a year now and has led to multiple known ESP system breaches. Return Path was recently a victim of this same attack. So far, we have three blog posts on our client/marketer blog about this – you can read them here from November 24, November 25, and November 26. http://www.returnpath.net/blog/intheknow/2010/11/security-alert-phishing-attack-aimed-at-esps http://www.returnpath.net/blog/intheknow/2010/11/security-alert-update-on-esp-phishing-attack http://www.returnpath.net/blog/intheknow/2010/11/security-alert-phishing-attack-update In short, a relatively small list of our clients’ email addresses was taken from us, meaning those addresses are now the targets of the phishing campaign that are intended to compromise those client systems. To be sure, many of those addresses have been targets of this campaign and others like it for months prior to the attack on the Return Path system, since this campaign is specifically seeking out and attacking the email marketing and ESP community. But we are assuming, and behaving as if, any fresh campaigns are likely somehow linked to the data breach on our end. Data was taken from us, and that security hole is now closed. However, some of our clients that are being attacked send mail from IP addresses that are Certified by Return Path. Since we jumped on this issue on the Wednesday before Thanksgiving, we have identified two sending system compromises of two of our clients. Our monitoring caught these compromises, and the compromised IPs have been removed from the Certified list. As you might expect, investigating a data breach of this kind takes a tremendous amount of post-hoc forensic work, so it’s taken us a little while to get our arms around exactly what happened. That part isn’t particularly interesting. Here’s what those two compromises looked like, what we’ve done about them, what we’re doing to monitor more aggressively for future compromises, and what we’d like to ask of you. [more] http://www.returnpath.net/blog/received/2010/11/phishing-attack-an-open-letter-to-the-anti-spam-and-mailbox-operator-community/ -- Neil Schwartzman Senior Director Security Strategy, Receiver Services Tel: (303) 999-3217 AIM: returnpathcanuk http://www.returnpath.net/blog/received/ Help the poor help themselves. Fund a small business with micro-loans at http://www.kiva.org/team/returnpath
Spamhaus Uncovers Fake DNSBL: nszones.com
Spamhaus has uncovered a fake spam filter company which was pirating and selling DNSBL data stolen from major anti-spam systems including Spamhaus, CBL and SURBL, republishing the stolen data under the name nszones.com. more: http://www.spamhaus.org/organization/statement.lasso?ref=8 -- Neil Schwartzman Senior Director Security Strategy, Receiver Services Return Path Inc. [303] 999-3217 Tweets: ReturnPathHelp
Re: users Digest 19 Mar 2010 11:56:42 -0000 Issue 3121
On 10-03-19 7:56 AM, users-digest-h...@spamassassin.apache.org users-digest-h...@spamassassin.apache.org wrote: editorial comment (why would you enter such things as this since neither facebook not linkedin have any way to stop spamming you?.. no, they don't. all 500MM people on facebook or linkedin can spam you, and you have to remove them, or unsubscribe, one at a time, the linkedin 'never send me email' has never worked, so I locally blacklist them. now, I guess I will start to get their spam. / Hi LI are very proactive at shutting down abusive participants on their networks. They have some stringent limitations in how address-book uploads are undertaken and user accounts deployed. the linkedin 'never send me email' has never worked If you have verifiable proof of this, feel free to send it to my attention offlist, and I will have someone here take it up with the company. -- Neil Schwartzman Senior Director Security Strategy, Receiver Services Return Path Inc. [303] 999-3217 Tweets: ReturnPathHelp
Re: OT: Q about habeas marks
On 09-09-03 10:45 AM, Michael Scheidell scheid...@secnap.net wrote: I think someone on this mailing list mentioned that habeas doesn't use, or endorse use of the old 'habeas' marks in email anymore, right? Would it be safe to assume that anyone using this in the headers is a spammer trying to get a free ride? That would not be a safe assumption. We are currently in the process of having our customers (perhaps a dozen I know of) remove them from their sending infrastructures (not always a simple task). (I am BCCing in the account managers of two clients I know continue to use them.) There are two sets of headers, those you mention below, and the old Haiku: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . The smartest thing you can do is just ignore them both, and query the whitelist via DNS. (going to www.habaes.com/report/ brings up a 'this page has disappeared' page. Sure, but why not go to the correct URL at http://www.habeas.com/report/ instead? ;-) so, a quick header check in the MTA would keep these even from being scanned by SA. and a rule like this should block any (if you don't do this in your mta). any 'legit' email still using these marks? header _LOCAL_PHONEY_HABEAS exists:x-habeas-report score _LOCAL_PHONEY_HABEAS 99 x-accreditor:Habeas x-habeas-report:Please report use of this mark in spam to www.habeas.com/report/ -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: OT: Q about habeas marks
On 09-09-03 11:20 AM, Michael Scheidell scheid...@secnap.net wrote: Sure, but why not go to the correct URL at http://www.habeas.com/report/ instead? still brings up 'this page has disappeared' Not for me. It redirects to http://seal.habeas.com/Company_Feedback.php ip: 174.143.89.6 using your marks illegally? was source in question. That IP is on the Safe whitelist. Problem? You can check the status of any IP you wish at http://senderscore.org -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: OT: Q about habeas marks
Completely offtopic for SA; however, we are in the midst of taking down habeas.com and I expect this is a product of that work; I too just got a 404 response. If you wish to discuss this further, please ping me offlist. On 09-09-03 11:50 AM, LuKreme krem...@kreme.com wrote: Not for me. It redirects to http://seal.habeas.com/Company_Feedback.php Nope, not here. I get: This page has disappeared We are sorry, but the page you were looking for can't be found. Don't worry though, we will help get you to the right place. When in doubt -- goto the home page: -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: Geniuses at expedia.com
The geniuses send their regards; they are a customer so I pinged them: Hi Neil, Thanks for heads-up. I've forwarded the information to our corporate domain/smtp management folks. Sincerely, MUNGED Lead Operations Manager, EWW Database Marketing On 06/08/09 9:23 AM, Joseph Brennan bren...@columbia.edu wrote: Michael Scheidell scheid...@secnap.net wrote: and did you ever hear of Y2K? can't you afford to send out two more digits in the year? date:31 Jul 09 10:13 -0800 Do they really write date: instead of Date:? That violates RFC 2822. A space after : is shown in every example in 2822, but I don't see a requirement that it be there. It is extremely unusual not to see it. The two-digit year is obs-year, and MUST NOT be used to generate messages, but MUST be honored when interpreting messages. Hm. Is the Expedia server really in Alaska? I think that's the only place in timezone -0800 this time of year. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: Rules
On 27/07/09 6:35 AM, twofers twof...@yahoo.com wrote: Performing Cunnilringus -- An Art of Pleasure.www.onlyviagra net I thought a sex rule would have fired as well as something for pleasure.www.onlyviagra net This is pretty basic and straight forward isn't it? This is a tough row to ho, and I've not gone down this road in a while but cunillingus is misspelt, potentially leading to the lack of reaction. By your rules. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038 The opinions contained herein are my personal stance and may not reflect the viewpoint of Return Path Inc.
Return Path Safe whitelist UPDATE [was: Opt In Spam]
On 16/07/09 11:39 AM, LuKreme krem...@kreme.com wrote: * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better * [66.59.8.161 listed in sa-accredit.habeas.com] If you search for HABEAS_ACCREDITED you will find that a LOT of admins either drop these scores to very low numbers, or actually set them slightly positive. I'm not certain as to how a search such as you suggest would reveal any indication of this. Please explain. In my mailspool they are a spam indicator and I have them scored as such: score HABEAS_ACCREDITED_COI 1.0 score HABEAS_ACCREDITED_SOI 1.5 I fully understand if you do/did not want to use our whitelist (keep reading, we've made a few changes), however, we have historically blocked lookups from people with this type of scoring when we became aware of such things. I think it is silly to be punitive, and more than a little naïve. I have regularly posted here as to the work that we do, how we do it, and the challenges of migrating the poorly-kept legacy Habeas Safe whitelist to our systems. The migration work is ongoing, about 95% of the way there. However, the last 5% is non-trivial. That said, from a more administrative side here are some facts and figures that may interest you: - In the past six months we have ended our relationship with 113 companies on Safe - We have deleted at least 2.5K IPs associated with those companies - We have added hundreds, if not 1,000 IPs from our Certified programme members, companies held to extremely exacting performance metrics, including complaint feeds from Hotmail, Yahoo!, two anonymous webmail providers. VALUE ADDS We have actively begun compliance on Safe whitelist members for things like: - spamtraps (from several sources to which Spamassassin does NOT have access) - bounce-processing efficacy (again, something SA cannot do for you) - Recursive DNS - nameserver snowshoeing. We do not allow one NS/domain to avoid domain reputation - WHOIS transparency - no proxy services - disclosure of sign-ups, privacy policy present and reasonable Future plans: - Automation (including intra-day checks of DNSBLs, trap hits, and so on) - re-jigging our programme metrics, standards and license agreement to be coherent (we are still labouring under legacy agreements in some cases) - Overall programme/client/IP SA scoring for both our whitelist products, Safe and Certified, using our massive corpus (not to belittle Justin's rule scoring efforts, but he uses what he readily admits is a very small corpus). We have live data feeds from the world's largest receiving sites, we run FBLs for at least a dozen of receivers, and we intend to make good use of this data. I don't know how long it will take until an SA score will become a compliance metric, or if it ever will, time will tell, but I am very excited to see what comes of this project. - Continual client audits especially of legacy Safe customers. IOW, we take all this stuff very seriously, have committed resources both financial, development, and human to this end, and we greatly value our longstanding relationship with the Spamassassin user community. So, bottom line: Zero-out our scoring? That is and will always be your right. Making it a positive spam sign?? Well, if you run a home system with no users, I suppose no damage done. If you are running SA in front of actual users at a business installation, I'd think it very brave to incur known false positives, and reject mail they potentially want, especially in this job market. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038 The opinions contained herein are my personal stance and may not reflect the viewpoint of Return Path Inc.
Re: Opt In Spam
On 17/07/09 3:32 PM, rich...@buzzhost.co.uk rich...@buzzhost.co.uk wrote: I have (as usual) a different view. Being told how wonderful they were I thought it would be a blast to opt-in, then opt out again. On opting out I found I was mailed again by RP. So I blocked the range. They found another range and spammed me, I blocked it again. Tonight, they have done it again - I guess this is another 'fault with a hive serving the whitelists' or similar b/s. Opt out is opt out. It means I don't want you to keep finding new ranges to spam me about your services; From: Ryan Osborne ryan.osbo...@returnpath.net To: @buzzhost.co.uk Subject: Are you getting your email to the Inbox? Date: Fri, 17 Jul 2009 15:06:02 -0400 (20:06 BST) Mailer: Produced By Microsoft Exchange V6.5 I¹m not certain who told you were here at Return Path are wonderful, but I do appreciate their input. Now, please don¹t be silly Richard. Your assertion that we encountered a block and then switched to a new IP netblock is preposterous. We have several ranges and mail streams. You opted in and then opted out. OK, in what timeframe? Minutes? Hours? The proscribed 10-day CANSPAM limit? A couple of months? I will ensure you are added to our suppression list and unsubbed from all lists, immediately. If our processes are broken, we want to know; I¹ve BCCed our CPO in on this. Thanks for the heads up. -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: Opt In Spam
On 17/07/09 4:03 PM, Neil Schwartzman neil.schwartz...@returnpath.net wrote: Your assertion that we encountered a block and then switched to a new IP netblock is preposterous. We have several ranges and mail streams. You opted in and then opted out. OK, in what timeframe? Minutes? Hours? The proscribed 10-day CANSPAM limit? A couple of months? I will ensure you are added to our suppression list and unsubbed from all lists, immediately. If our processes are broken, we want to know; I¹ve BCCed our CPO in on this. Richard, I inquired internally, and here is what we understand to have happened. You signed up for a Lunch and Learn. You were mailed the information in that regard. Apparently you were flagged in our systems as having attended the event. You also indicated you wanted a demo of our tools during your sign-up. A sales person, Ryan, followed up on the lead with a 1-to-1 email. He also tried to call the apparently erroneous telephone number you entered in the form. We have verified the unsubscribe and suppressed your address. Let us know if there is anything else we can do to help. Thanks again for bringing this to all our attention. -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: Opt In Spam
On 16/07/09 7:38 AM, twofers twof...@yahoo.com wrote: And yet another SPAM from these opt-in guys. SINGLE opt-in (SOI). I believe this group are nothing but covert Spammers abusing a privilage afforded them. Which group? E Z Publishing? They are neither covert, nor spammers. They are an ESP. As such, they certainly have their share of challenges, with regard to client vetting and list provenance. Complaints about them here, and elsewhere are not going unnoticed, I can assure you; we have had a few sit-downs with them and it appears there is need for another. We do want to work with this client to better their practices, and will continue to do so, using the carrot stick mthod of encouragement. We do have sticks of several lengths and weighting to apply if need be, of course. I've BCCed our principal contact at EZP to alert him to the problem. I receive these spams at two separate email addresses, both I use exclusively for my business, there is no way I'd use these addresses as an opt-in for anything. They are not personal emails and I'd never consider using them as opt-in for anything. I don't opt-in for anything ever to begin with anyway. Understood. But here's where it gets weird ... X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on H67646.safesecureweb.com X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=HABEAS_ACCREDITED_SOI, HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOCAL_URI_NUMERIC_ENDING,MISSING_MID, MPART_ALT_DIFF,SARE_UNSUB09 autolearn=no version=3.2.1 X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header * 1.3 SARE_UNSUB09 URI: SARE_UNSUB09 * 2.0 LOCAL_URI_NUMERIC_ENDING URI: Ends in a number of at least 4 digits * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.1 MPART_ALT_DIFF BODY: HTML and text parts are different * 0.6 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better * [66.59.8.161 listed in sa-accredit.habeas.com] Received: (qmail 17894 invoked from network); 15 Jul 2009 12:21:13 -0400 Received: from mailengine.8lmediamail.com (66.59.8.161) This IP is not currently on the Safe whitelist (formerly known as HABEAS_ACCREDITED_SOI ). It was suspended some time ago. Now, I am aware that we recently changed the DNS hives serving up Safe (aka safelist aka Habeas) and I'm wondering if there is a glitch between SA and our lists. I don't know. I expect I need to take this up with the developer team, and bump it to someone else over here. I've also BCCed our contacts at SA for clarification by mail.jelsma.com with SMTP; 15 Jul 2009 12:21:12 -0400 Received-SPF: pass (mail.jelsma.com: SPF record at mailengine.8lmediamail.com designates 66.59.8.161 as permitted sender) Received: by mailengine.8lmediamail.com (PowerMTA(TM) v3.2r23) id hbo0ve0eutci for embroid...@x.com; Wed, 15 Jul 2009 09:14:23 -0700 (envelope-from streamsendboun...@mailengine.8lmediamail.com) Content-Type: multipart/alternative; boundary=_--=_1073964459106330 MIME-Version: 1.0 X-Mailer: StreamSend - 23361 X-Report-Abuse-At: ab...@streamsend.com X-Report-Abuse-Info: It is important to please include full email headers in the report X-Campaign-ID: 20812 X-Streamsendid: 23361+362+1918562+20812+mailengine.8lmediamail.com Date: Wed, 15 Jul 2009 09:14:24 -0700 From: Paul DiFrancesco: Eight Legged Media efly...@8lmediamail.com To: embroid...@x.com Subject: Visit with over 25 suppliers This is a multi-part message in MIME format. -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: Opt In Spam
FOLLOW-UP: A process was hung on one of the 20 hives serving the whitelists and reported this IP as being listed. We've restarted the process and it is no longer reporting incorrectly. On 16/07/09 8:05 AM, Neil Schwartzman neil.schwartz...@returnpath.net wrote: Now, I am aware that we recently changed the DNS hives serving up Safe (aka safelist aka Habeas) and I'm wondering if there is a glitch between SA and our lists. I don't know. I expect I need to take this up with the developer team, and bump it to someone else over here. I've also BCCed our contacts at SA for clarification -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: Spam Filter Law Suit
On 15/07/09 4:11 PM, Justin Mason j...@jmason.org wrote: Hi Damian -- Our first impression: somebody other than us is suing somebody other than us about a matter that may be entirely unrelated to anything we produce. Unless we have a specific reason to believe that a specific patent is likely to be enforced against either us or a downstream user (and, no, one generally can't glean that from the title) there is nothing we should do at this time. Sorry about that For those slightly more interested than Justin, although I can¹t imagine why http://neilschwartzman.com//Neil_Schwartzman/shared/pat6952719.pdf http://neilschwartzman.com//Neil_Schwartzman/shared/harris-complaint.pdf -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: Questionable Rule
On 08/07/09 6:05 AM, twofers twof...@yahoo.com wrote: I am writing some new local rules to my local.cf, so I am watching the headers of emails I receive and I notice this rule that appears in an obvious spam email: * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better Subject: Value Product Offers from Admints and Zagabor Otherwise this email would have been tagged as spam: X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on x.x.com X-Spam-Level: ** X-Spam-Status: No, score=2.5 required=5.0 tests=HABEAS_ACCREDITED_SOI, HTML_IMAGE_RATIO_02,HTML_MESSAGE,LR_URI_NUMERIC_ENDING,MISSING_MID, MPART_ALT_DIFF,MPART_ALT_DIFF_COUNT,SARE_UNSUB09 autolearn=no version=3.2.1 X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header * 1.3 SARE_UNSUB09 URI: SARE_UNSUB09 * 2.0 LR_URI_NUMERIC_ENDING URI: Ends in a number of at least 4 digits * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.9 MPART_ALT_DIFF_COUNT BODY: HTML and text parts are different * 1.1 MPART_ALT_DIFF BODY: HTML and text parts are different * 0.6 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better * [66.59.8.161 listed in sa-accredit.habeas.com] I don't opt in for anythingopt in emails to me are nothing but plain bogus spam. I don't want any of this kind of spam email and I absolutely do not ever ask for it. This comes from 'mailengine.8lmediamail.com (66.59.8.161)' and looks like an unsolicited bulk emailer to me by the email address. How did this UBE spammer get a score of -4.3 in the SA-Update rule sets? It makes me feel like the spamassassin rules have been infiltrated and compromised... If these guys are legit via sa-accredit.habeas.com, then I'm saying they are scamming and abusing, as well as spamming. Ah, our good friends at E Z Publishing. They are an ESP, apparently one of the clients is being bad. Please send me a complaint with FULL headers to habeas@abuse.net and I'll take care of this immediately, as will EZP. Thanks for the heads up. -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: Freelotto.com
On 03/07/09 3:32 PM, RobertH robe...@abbacomm.net wrote: or at least charge them a lot more for abusing your services ;-) A long time ago, Bonded Sender charged per complaint. We don't operate that way; we have a declining percentage of acceptable complaint rates for each volume tier assigned to a customer (derive from totals to Hotmail/Yahoo!/Senderbase/two anonymous web-mail sources). The more they send, the more we charge. Ultimately, the services a Sender abuses aren't ours, but those of our receivers. Should they go over a given complaint rate, or fall afoul of our other metrics (posted here previously), the IP or Client is suspended. if you cannot be trusted to do a really good job, then MS is right and the rules pertaning to your customers email should be made positive or at least removed from SA If we don't perform to your standards, zeroing them out is certainly within your right. Making them a positive sign given the totality of our client list would be, in my mind, silly. Unless you enjoy false positives. -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: constantcontact.com
On 05/07/09 1:56 PM, rich...@buzzhost.co.uk rich...@buzzhost.co.uk wrote: I don't dispute *YOU* don't know MP. I've got a gut feel there will be a connection there somewhere. Normally, when spammers are white listed, Perone has an interest or a friend some place. I'm going to chalk this one up to the Constant Contact paid Spamassassin money to whitelist them category of inane assertions. Finally - and here is the thing I find a bit odd - if you really are from Constant Contact would you not be using one of their email addresses - or at least a server?. After all, as you put it 'We are an ESP'. sorry, I am on several private lists. Lists I have been on for 10 years through a few different employers. If I signed up for those lists with my @constantcontact.com address my employer would own that mail. I don't really think they'd read my mail, but I'm still not comfortable with that so I sign up for all lists (even the public ones like this) with my own personal domain. Its just my family domain, the website is nothing more than that. Well, I can only take you at face value that you are here representing Constant Contact. If I call up the office switchboard Tara, can I speak with you there? It's just I've called up Constant Contact and hit #9 for the directory and your name is not in there? Perhaps there is a misspelling or something? Perhaps you can use this new thing called 'google' they have out, it is way kewl: http://www.google.com/search?client=safarirls=en-usq=Tara+Natanson+%2B+con stant+contactie=UTF-8oe=UTF-8 -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Private whitelisting
qq: How do would I get spamassassin to reference an internal list of IPs? (This would be all of our client IPs in either suspended or active states on our whitelists to avoid denying access to our ticketing system from those clients with dnsbl listings) I know how to aggregate the data, just want a clue offered as to how to call them from SA. TIA -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Barracuda Blacklist
On 29/05/09 4:09 PM, Bob O'Brien bobr...@barracuda.com wrote: Neil, Based on our Requests for Removal filed over the past 3+ weeks from ReturnPath, the number of IPs that you are claiming to have had issues with appears inflated by a factor of nearly 50%. Bob, I don't want to waste this group's time with your incorrect assertion. (this is beginning to be VERY off-topic). I have data for each and every IP you listed and for which I requested a delisting. Happy to follow up with you offlist. Indeed, the Barracuda auto-acks only stared coming in May 09, so perhaps the system was hosed in some manner and it missed recording everything I did between April 29 and May 08, for which we saw delistings the following days in any event. More importantly, I feel it is irresponsible to oversimplify a cleared listing as a false positive when speaking of *any* IP reputation system. Barracuda Reputation does not arbitrarily list hosts. Messages have passed through each host with characteristics indicative of spam. I suggest Barracuda then work on the verbiage on the site and in the auto-acks. What you are saying does not jibe with what is indicated elsewhere. What you are saying ... Makes more sense. Those listings would only have been cleared because someone contacted the BRBL team and requested their clearance - explicitly volunteering /some/ measure of responsibility for those hosts going forward. _Accepting_ your possibly-inflated numbers, the 409 IPs otherwise met the criteria for clearing, so they were cleared. Apparently 22 IPs did not, and those were not cleared. Yup. And that's great. Quick question though: You said that you work for emailreg.org, and have some limited input into the BRBL, I believe. It seems to me there is a greater relationship between emailreg.org and Barracuda than has been stated, given what appears to be intimate knowledge of my delisting requests. Can you clarify? Thanks. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re:
Oh, the irony. On 29/05/09 9:26 AM, Doni Mediono Indrawan medi...@gmail.com wrote: Hi, How are you doing recently? I would like to introduce you a very good company which I know. Their website is esurfingonline.com They can offer you all kinds of electronic products Please take some time to have a check, They must have something you'd like to buy. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Barracuda Blacklist
On 29/05/09 9:32 AM, Andy Dorman ador...@ironicdesign.com wrote: Neil Schwartzman wrote: Given the huge amount of bumph I've seen and heard about emailreg.org, I figured it would be an interesting experiment to see if what everybody feared was happening was true. It isn't. No big extortion plan on the part of emailreg and Barracuda that I can see. Neil, I certainly respect what you are saying based on the information you have. However, I have a fact to toss out about emailreg.org. I run a small email filtering company with a small cluster of servers for load balancing and reliability. In early April I found I was unable to send email to a new customer. They were currently using the Barracuda Networks Reputation system and it was blocking my emails. I found this somewhat silly considering we receive over 500 million emails a month but rarely ever SEND email (we only filter incoming email so far). ie, our outgoing email is mostly just business correspondence and filter stats reports to our customers. And then I got to emailreg.org and found that: [...] Just wanted you to have ALL the facts when considering emailreg.org. Hold up now. Why did you goto emailreg.org?? That is the whitelisting service. I'd go ahead and request a delist at http://www.barracudacentral.org/rbl/removal-request Worked well for me. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Barracuda Blacklist
On 28/05/09 9:35 AM, Matt lm7...@gmail.com wrote: Is there a reason the Barracuda blacklist is not in the official checks by Spamassassin yet? I keep thinking sometime sa-update -D will add it but have yet to see it. I would like to add some perspective to potential use of the BRBL. Three weeks ago, I began requesting de-listings of any IP (active or suspended) on Certified that was listed on the Barracuda BRBL. When I started on April 29 there were 431 such IPs, as of today there are 22, of those there are 5 repeat listings. Of interest is the verbiage Barracuda sends to listees, stating repeatedly that the IP is on a compromised host. I suspect this is incorrect as these IPs never had listings on other DNSBLs dealing with such issues, like the CBL. They also assert the mail is not CANSPAM compliant¹. This would imply either using the Lashback DNSBL or similar service if such exists, or manual parsing of the payload. None of the listed IPs showed up on the Lashback list. I don¹t know what to make of this. One aspect of note is their heavy reference during the delisting process to their pay-for-play whitelist, Emailreg.org (I signed up one of my domains at the service to see how it worked). They suggest that registration therein will help to avoid inadvertent¹ listings, but that does raise the question how a listing due to compromise or lack of CANSPAM compliance could ever be inadvertent. I certainly do not think we should ever suggest or recommend to clients to make use of the Emailreg.org service, it works on a per domain basis and this could become very expensive for large senders at $20/each. Also, it is not clear if domains and sub-domains are treated as equivalents. - Thank you for contacting Barracuda Networks regarding your issue. Your issue is important to us. We have assigned a confirmation number: BBR2124460-MUNGED to this case. We apologize for any inconvenience that this may have caused you. Since this is is your first request for this IP, the reputation of this IP address will be temporarily upgraded from poor for 48 hours *or* until we complete our investigation. When our investigation is complete, you will receive a decision via email. It may take up to 1 hour for the changes in the Barracuda Reputation System to propagate to all the Barracuda Spam Firewalls in the world. There are a number of reasons your IP address may have been listed as poor, including: 1. The email server at this IP address contains a virus and has been sending out spam 2. The email server at this IP address may be configured incorrectly 3. The PC at this IP address may be infected with a virus or botnet software program 4. An individual in the organization at this IP address may have a PC infected with a virus or botnet program 5. This IP address may be a dynamic IP address which was previously utilized by a known spammer 6. The marketing department of a company at this IP address may be sending out bulk emails that do not comply with the CAN-SPAM Act 7. This IP address may have a insecure wireless network attached to it which could allow unknown users to use it's network connection to send out bulk email 8. In some rare cases, your recipients' Barracuda Spam Firewall may be misconfigured -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038 The opinions contained herein are my personal stance and may not reflect the viewpoint of Return Path Inc.
Re: Barracuda Blacklist
On 28/05/09 10:42 AM, Karsten Bräckelmann guent...@rudersport.de wrote: Yes, every list does have occasional FPs. So your point about those 22 listings is what exactly? My point is the 409 false positives. Sorry if I was unclear or obtuse. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Barracuda Blacklist
On 28/05/09 3:09 PM, Karsten Bräckelmann guent...@rudersport.de wrote: I was merely arguing that not all blacklistings are necessarily bad, just because they happen to be listed in SSC (or any other whitelist for that matter), as I understood your post. Re-reading what I wrote, I can't see where you got that impression. Please educate me as to how I could have written my post better. I said they were false positive because - they were unique to the BRBL - the reasoning presented behind the listings (compromised host/CANSPAM non-compliance) was not substantiated by listings on other established DNSBLs - if there were a valid reason behind the listing, the removals would have been overturned, like, for instance, when you self-delist from the Sender Score DNSBL or CBL, and your host is still compromised. Maybe I should have uppercased all words like ONLY or SOLE like you, so you don't skip them. Yes thanks, since apparently my linguistic skills aren't up to snuff. Damned that degree in English Literature from a second-rate university. (BTW, the term suspended is quite irritating in this context.) I use the nomenclature we have been using for 3 years, developed without public consultation. Enabled = on the whitelist Suspended = removed from the whitelist, live in the client account Disabled = removed from the client account -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038 The opinions contained herein are my personal stance and may not reflect the viewpoint of Return Path Inc.
Re: Barracuda Blacklist
On 28/05/09 8:06 PM, J.D. Falk jdfalk-li...@cybernothing.org wrote: Karsten Bräckelmann wrote: Enabled = on the whitelist Suspended = removed from the whitelist, live in the client account Disabled = removed from the client account Suspended on request by the client, suspended due to complaints pending investigation, or forcefully suspended due to abuse and violating the terms of accreditation? Could be any of those. Or more. Suspended because of rDNS issues, suspended because the client hasn't used them in the past 30 days ... I realize I owe this group a list of things we check. Stand by. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Return Path Certified metrics
What follows is a non-weighted list of things we check, some hourly, some daily, some quarterly, some on an ad hoc basis. Other stuff we check is confidential, but we check a LOT more than this, sometimes regularly, sometimes when our attention is drawn to a given issue. SENDING ENTITY Disclosure Privacy Consent Header clarity (From:/Friendly From:) WHOIS transparency NS (recursive? Snowshoe?) PERFORMANCE Windows Live Sender Reputation Data Hotmail Complaints Yahoo Complaints Anonymous ISP Complaints Spamcop Complaints Spamtrap hits DNSBL presence INFRASTRUCTURE 550s Unsubscribe Functionality FQ rDNS SPF DKIM RFC Role account functionality CBL PBL XBL DROP FBL Sign-up Volume Sufficiency -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Barracuda Blacklist
On 28/05/09 8:19 PM, Karsten Bräckelmann guent...@rudersport.de wrote: Could be any of those. Why does it matter? Suspended IPs aren't on the list. Thus there's little or no incentive to get em delisted from blacklists, no? \I don't understand your question. Incentive to whom? The client? Of course there is. Beyond their normal problems encountered due to such a listing, they can be suspended from the whitelist until the blacklisting is addressed. Which means they are paying us for a service they aren't able to avail themselves of. They thus have plenty of incentive to work out the issues and get things fixed. Check the PDF table I sent earlier. You will see very few dnsbl hits for IPs on, and even off our lists. Do your own check. Query our lists and x-reference them to DNSBLs. Depending upon the dnsbl, we may warn, or suspend, for a single IP hit. (we prioritized our DNSBL use plan by weight, with the input of some senders, the MAAWG technical advisory board, some receivers (large ISPs)). The approach is published at support.senderscorecertified.com (this site might be down at the moment). Chronic DNSBL listings, or those affecting large proportions of a client IP space, or repeated offenses earns a client a trip to the woodshed, and if that doesn't get them to correct their errant ways, we invite them to no longer darken our door. It isn't worth it to them, nor to us. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Barracuda Blacklist
On 28/05/09 9:03 PM, Karsten Bräckelmann guent...@rudersport.de wrote: Incentive for you, to get em delisted from BRBL. The funky question is, is BRBL part of your weighted blacklist metric? BRBL was and is in test mode for possible use against our whitelists. Given the huge amount of bumph I've seen and heard about emailreg.org, I figured it would be an interesting experiment to see if what everybody feared was happening was true. It isn't. No big extortion plan on the part of emailreg and Barracuda that I can see. Fact is, while I think the reasons behind the initial listings are suspect, or misguided, or wrong, there is ZERO evidence I've seen or experienced that you need to pay emailreg.org to get delisted or stay delisted which is precisely as it should be. My incentive was that, and some early-morning OCD. This is the only time I have ever delisted a client IP, and there are a raft of DNSBL operators to back me up on that one. Our clients get listed, I want to know why, but I never ever ever ask for delistings. Ever. Why would I? -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Got dead domains that get a lot of spam?
I think it would be a very good idea to define dead¹ before setting or accepting such a domain. I hope dead = has bounced 550 5.1.1 for at least a year to all attempts to previously valid addresses¹, otherwise, for all intents and purposes, especially this one, ³I¹m not dead yet². On 19/05/09 8:59 AM, Marc Perkel m...@perkel.com wrote: Looking for people with dead domains that still get a lot of spam, especially spambot spam. I'm trying to get more spambot data for our hostkarma spam list. If you have such a domain that you aren't using can you set the MX to tarbaby.junkemailfilter.com. It will help stop spammers at the source. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Got dead domains that get a lot of spam?
On 19/05/09 10:55 AM, Marc Perkel m...@perkel.com wrote: That's not how I would define dead. Our system can tell the difference between a good email sent to a dead domain and a spambot. Our definition is any domain that has not current legitimate email. Good for you! You are one up on the CBL, then, who have had some false positives that I personally know of; nice to see you are entirely, 100% free of error. And also nice to see you bucking conventional wisdom from DNSBL operators on what constitutes a dead domain. I¹m with you. Fly in the face of experience, strike out in wildly new directions. ;-) Ok seriously, why take a chance? There tends to be coherence between the OED and American Heritage in terms of definitions. Why try to start a new one for dead domain? -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Phishing
On 24/04/09 11:44 PM, it was written: Most people do not fall for it, but the dumbest ones do fall for it. This is not a question of intellect, it is a question of the verisimilitude of the messaging. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Spam Rats - does anyone know them?
On 09/04/09 2:35 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: That's the question. I do not object against listing of a spammer, but dynamic? naming convention? Will they block host if it spams, if it sends mail from gmail com and the hostname is qw-out-1920.google.com which looks like their upstream provider? OK, I don't want to bitch, I'm searching for some valid informations, mostly about their best practices. Well there certainly has been some discussion on the MAAWG senders' list about naming conventions and clarity or rDNS resolution HELO, and so on and it is something *we* recommend to our certified and safelisted clients (beyond FQ rDSN which is a requirement), but blocking on something that is far far far from an industry standard? I'd suggest that is silly at best, but do tell us how that works out for you as the phrase goes. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Spam Rats - does anyone know them?
BWA HAHAHAHA Someone here isn't just using SA. Got a bounce saying I said a bad word. For the record, it wasn't me. Microsoft Antigen for SMTP found a message matching a filter. The message is currently Purged. Message: Re_ Spam Rats _ does anyone know them_ Filter name: KEYWORD= profanity: bitch;sexual discrimination: bitch Sent from: Neil Schwartzman Folder: SMTP Messages\Inbound Location: psp/TRACYSV05 On 09/04/09 3:55 PM, Neil Schwartzman neil.schwartz...@returnpath.net wrote: On 09/04/09 2:35 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: That's the question. I do not object against listing of a spammer, but dynamic? naming convention? Will they block host if it spams, if it sends mail from gmail com and the hostname is qw-out-1920.google.com which looks like their upstream provider? OK, I don't want to bitch, I'm searching for some valid informations, mostly about their best practices. Well there certainly has been some discussion on the MAAWG senders' list about naming conventions and clarity or rDNS resolution HELO, and so on and it is something *we* recommend to our certified and safelisted clients (beyond FQ rDSN which is a requirement), but blocking on something that is far far far from an industry standard? I'd suggest that is silly at best, but do tell us how that works out for you as the phrase goes. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Spam Rats - does anyone know them?
On 09/04/09 4:06 PM, McDonald, Dan dan.mcdon...@austinenergy.com wrote: I won't block on it alone, but if someone wants a whitelist entry, they have to have rDNS correct. And preferably an SPF or DKIM policy Well, an Sender ID-compliant SPF record has long been a requirement for our Certified and Safelist whitelists, and we are rolling out DKIM as a requirement sometime this year. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: simple script idea for checking reputation disagreement
On 06/04/09 10:53 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 04.04.09 16:30, Neil Schwartzman wrote: On 04/04/09 4:22 PM, RobertH robe...@abbacomm.net wrote: 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [209.92.22.130 listed in dnsbl.sorbs.net] That would be incorrect. The IP is static, not dynamic. It apparently waqs dynamic in 2005 when it got listed. seems nobody asked for delist yet. Maybe they don't have the $25 or something ;-) -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: simple script idea for checking reputation disagreement
On 05/04/09 7:28 AM, mouss mo...@ml.netoyen.net wrote: personally, i say spam metoo. take a look at their web sites: http://www.rodale.com http://www.prevention.com http://www.menshealth.com http://www.biggestloserclub.com lose what? (on the other hand, runningtimes.com and runnersworld.com may be legit). Consent, not content (well, mostly), mouss. As unlikely as it sounds to you and me, people *do* sign up for this stuff. Anyway, quite offtopic to this discussion group. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: simple script idea for checking reputation disagreement
On 04/04/09 11:31 AM, RobertH robe...@abbacomm.net wrote: greetings... i am working at re-learning and applying SA fine tuning. in doing so, i have some across some real life SA scoring anomalies. it is interesting because one public reputaion service rule offering says to score positive, i.e. spammy, spam, or blacklist, and another public reputation service says the opposite, i.e. negative score aka ham, hammy, or whitelist. eyebrow raising to say the least... ;-) Well, we (they) all have different views of the reality out there. I just ran a bunch of checks on some client IPs, they all were poor-to-good (never above 75 on our system, but our site did indicate a very high risk factor for the one IP I saw score a 75 ... Gotta talk to our developers about that). on our system, but there were certainly variances from us to SenderBase and Borderware's offerings. All depends on who sees what, when. IMO, the reputation should have all been poor across the board, BTW. has anyone developed a basic script they can share that goes through and checks rule scoring logs email by email and looks for when specific types of rules (whitelist / blacklist or other reputation rules) should be in agreement, yet oppose each other? i realize that it is time sensative on some types of rules yet this is reputation based on actual domain name and ip address Yes please. I'd love to see something like that. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: simple script idea for checking reputation disagreement
On 04/04/09 12:00 PM, Michael Scheidell scheid...@secnap.net wrote: one company has a list of 'COI' (supposed to be confirmed opt in). they have begun a process (see the wiki) of canceling client who claimed COI but obviously didn't. that 'reputation' score has more to do with contract ($$) than actual real time data. Can you give me more of a hint than see the wiki, like a URL? If that is us (Safelist nee. Habeas Safelist) I'd sure like to know how anyone has an impression of $$ = rep score. I could disprove that easily and empirically. There are plenty of people who pay us a whole lotta money with lousy rep. scores. Ergo them paying us a whole lotta money, so we can tell them which of their lousy practices to fix. And no, we don't put a downtick on the rep score to drive business either. Don't need to. There's enough senders in the world who actually do need help, we don't need to create business. Thanks. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: simple script idea for checking reputation disagreement
On 04/04/09 4:22 PM, RobertH robe...@abbacomm.net wrote: 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [209.92.22.130 listed in dnsbl.sorbs.net] That would be incorrect. The IP is static, not dynamic. whois://209.92.22@whois.arin.net PaeTec Communications, Inc. PAETECCOMM (NET-209-92-0-0-1) 209.92.0.0 - 209.92.255.255 Rodale Inc. RODALE-430488 (NET-209-92-22-0-1) 209.92.22.0 - 209.92.23.255 # ARIN WHOIS database, last updated 2009-04-03 19:10 -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: How long does it take to install SA?
On 26/03/09 10:29 PM, Matt Kettler mkettler...@verizon.net wrote: Neil Schwartzman wrote: Say one is using Postfix and needs SA in front of ~15 aliases. How long should this take? That depends mostly on how you want to integrate SA into postfix. Installing SA itself should take about an hour if you've never done it before. Most of that will be reading the INSTALL file :-) Once you've done it before, installing SA itself is only 2-3 minutes. Thanks a ton Matt. Someone else asked for more details offlist, Single-user, vanilla install with two exceptions: the install will check our two whitelists and give a pass (-100) to any of our clients so we don't bounce their mail. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
How long does it take to install SA?
Say one is using Postfix and needs SA in front of ~15 aliases. How long should this take? -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: HABEAS_ACCREDITED_COI
On 17/03/09 5:08 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: I still think it's much better to report them to habeas for spamming... COI means confirmed opt-in. If you did subscribe, it is NOT spam whether you want it or not. Isn't it good to have someone who will sue spammers? Matus, Habeas had not used that paradigm since the end of 2003. Clients pay to become programme members, and we hold them to various standards: Infrastructural, Performance, and Privacy Policy On 17/03/09 5:37 AM, Aaron Wolfe aawo...@gmail.com wrote: Besides the questionable way some marketers use COI (or, the way users don't seem to like getting what they asked for, depending on your viewpoint), the specific problem with the Habeas rules in SA is that the high scores sort of assume Habeas is correct about a message being COI etc, when in fact Habeas is often wrong. Habeas no longer exists. Return Path purchased their assets in August, which then began a gargantuan effort to migrate the various services onto our systems. As to performance of Safelist, I have said here repeatedly if you are dissatisfied with the performance, by all means downgrade the score, and by all means **REPORT THE ISSUE** (and keep your eye on the SA scoring, once we have improved, please give us a fair shake to get back into good standing with you!!). We take these things very seriously by suspending and firing clients, as we do with our Certified list. My team's job is to parse out problem clients, and deal with them. I disagree with Safelist being often wrong. According to our volume measurements at Senderbase, and two anonymous webmail services, there were 289,652,703 mails that went over Safelisted IPs in the last 30 days (this figure is very understated due to some technical issues on our end we aren't seeing everything from a volume standpoint). Since February 17, we have received less than 20 complaints. The scores are just too trusting. Reporting a message is fine but its not better than preventing the spam in the first place, is it? Best to tune the rules down and also report mistakes. Agreed. Now, as to the specifics of Ning.com: Like every other social network (we certify all the majors), Ning is now on the 419ers' RADAR. They are slipping in and suffering the problems spammers bring. They are both proactive, and in my opinion, rapidly reactive to problems brought to their attention. If you spot spam coming off their systems, send it to ab...@ning.com and copy us in at the address listed on the wiki. We want to hear about it, and we want to help Ning put a stop to this nonsense. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: HABEAS_ACCREDITED_COI
On 17/03/09 6:41 AM, LuKreme krem...@kreme.com wrote: On 17-Mar-2009, at 03:08, Matus UHLAR - fantomas wrote: I still think it's much better to report them to habeas for spamming... Why? My time is valuable, and I don't have any interest in being an unpaid volunteer for a commercial service. Well, to each his own. I have spent a lot of time reporting spam in my life, (probably too much), in actual fact. My thinking in reporting spam to DNSBLs (I am or was in the top 10 reporters at Phishtank URIBL, high on the board at Netcraft, and have an ROKSO listing based upon the data I provided), accreditation services, and the spammers hosting is that it makes life more difficult for the bad guys. If you don't want to help us, that's fine, but helping the email ecosystem is always a good thing. If they want their service to be of any value, they need to be far more vigilant. As it stands now, habeas is a pretty reliable spam indicator. Habeas cannot be more vigilant since they do not exist, Return Path has begun to, and will be. Once the Safelist IPs are migrated to our systems, and we have pressed down on obvious things (I have done some preliminary work with the legacy systems but they are not set up to do programme compliance and the work is extremely laborious and inaccurate to a degree), we will begin a process of auditing the whole lot of them, as well as our existing certified customers. That's about 800 of them. These are not placating platitudes; again, we take this seriously. Without our receiving partners, our product becomes valueless. This is a point recognized and acknowledged all the way to the top of the company, and unlike Habeas, I do not report to Sales. That's not how we roll. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: HABEAS_ACCREDITED_COI
On 17/03/09 6:59 AM, John Hardin jhar...@impsec.org wrote: A question if I may, Neil: does returnpath run any spamtraps to see whether your clients are indeed violating your terms? Having few complaints is not necessarily a good metric given the number of people who will simply curse you and hit [DELETE] rather than reporting the problem. We do. We have reporting from four well-known and extensive spamtrap networks. One I can mention publicly is Ironport's Spamcop network. Frankly, I have not yet had a chance to move on anything but the worst IPs hitting traps. I think what would be helpful here is for us to list what we check. I'll try to post that later in the day. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: ReturnPath, Habeas, BondedSender
I wanted to follow up on this thread with a word of thanks to both the Spamassassin developer and user communities for the input, and for their years of hard work into SA. I'm hopefully not being obsequious here, what many of you may not know is that I wrote and helped publish the first spam filtering procmail recipes on the net, back in my days at Concordia University, and have been fighting spam since 94-95. And so, when it came time to take on the task of Habeas Safelist compliance the very first problem I had to contend with was spam, inbound to our ticketing system, rendering the email stream almost illegible. It was perhaps extra-offensive given my long years in this business. Happily, a deployment of, you guessed it, Spamassassin has attenuated 500 spam/day down to 10. So thanks to all of you for making my next daunting task a whole lot easier. We are now receiving complaints, both loud AND clear. -- Neil Schwartzman Director, Accreditation Standards Security Sender Score Certified | Sender Score Safelist Return Path Inc. 0142002038
Re: ReturnPath, Habeas, BondedSender
On 01/03/09 7:58 PM, Michael Scheidell scheid...@secnap.net wrote: And why is this original email supposed to be a high priority? Must be a marketing person posting it. Hah. Marketing. Yeah right. That's what it says in my sig. Oh, no wait ... I believe the reason the email was highest priority is because I responded to the original thread post, and my MUA retained the original priority. Either that or my MUA is hosed, because I never touch the priority. On 01/03/09 7:55 PM, Michael Scheidell scheid...@secnap.net wrote: Thanks.. Last time I tried via your web site, I had a salesperson call me trying to convince me I should pay return path to 'bless' my marketing emails. Which website? Habeas.com? ReturnPath.net? SenderScoreCertified.com? SenderScore.org? -- Neil Schwartzman Director, Accreditation Standards Security Sender Score Certified | Sender Score Safelist Return Path Inc. 0142002038
Re: ReturnPath, Habeas, BondedSender
On 01/03/09 7:55 PM, Michael Scheidell scheid...@secnap.net wrote: Good first step, how, about an RFC complaint abuse@ address? So you can complain about any errant returnpath.net emails? That has always been in place. It would be inappropriate to complain about certified client emails to our role accounts, ergo the specific addresses for such purposes. -- Neil Schwartzman Director, Accreditation Standards Security Sender Score Certified | Sender Score Safelist Return Path Inc. 0142002038
Re: ReturnPath, Habeas, BondedSender
On 01/03/09 7:55 PM, Michael Scheidell scheid...@secnap.net wrote: Last time I tried via your web site, I had a salesperson call me trying to convince me I should pay return path to 'bless' my marketing emails. BTW: I trust your pointed out the error of his ways. If this ever happens again, get the person's name and write to me directly. Using the purpose-built addresses will go direct to our compliance queue and avoid any possibility of such nonsense. -- Neil Schwartzman Director, Accreditation Standards Security Sender Score Certified | Sender Score Safelist Return Path Inc. 0142002038
ReturnPath, Habeas, BondedSender
We have created an entry on the Spamassassin wiki http://wiki.apache.org/spamassassin/ReportingSpam -- Neil Schwartzman Director, Accreditation Standards Security Sender Score Certified | Sender Score Safelist Return Path Inc. 0142002038
Re: more habeas spam
On 2009-01-06 22:19:39 GMT LuKreme kremels at kreme.com wrote: If you want the real history of Habeas in a nutshell, the company went to hell when Anne Mitchell left (the same Anne Mitchell who was part of MAPS back in the day). She's now at the Institute for Spam and Internet Public Policy http://www.isipp.com/about.php. What habeas became after she left was something quite different from what it had been under her stewardship. Hi there. I was there too! (Habeas employee #3). Habeas is no more, we (Return Path) bought them last August. http://www.returnpath.net/blog/2008/08/return-path-to-acquire-habeas.php To address a couple of issues raised here ... We have only just begun doing compliance work on Safelist. SA scoring is, of course, your server, your SpamAssassin rules. I can't speak to what went on in the past but it is a new day for Habeas clients. We will be applying programme standards compliance in the same firm, even-handed manner as we do Sender Score Certified. If you are presently dissatisfied with the standardized scoring and have re-weighted, please consider keeping an eye on our performance via the QA tests Justin made note of, and your own views. As to the complaint submission issues noted here are concerned, the best point of contact moving forward for SA users would be sa-ab...@senderscorecertified.com (please don¹t use my personal address as I travel frequently, and our Standards team see stuff sent to this alias in our ticketing queue). Please be sure to make note of the issue being Safelist or Sender Score Certified, preferably in the subject line. We acknowledge that there may be some suboptimal hotspots, and we welcome any data points you can provide. I do want to let you know that given the immense amount of work ahead of us, (we are working towards systems integration which is an non-trivial task, along with getting up to speed on existing clients and issues), responses and actions taken may require a longer-turn around time than is our intended end-point. What I can say is that we have a proven track-record (BondedSender - Sender Score Certified) and so your patience and help during this transition period is much appreciated. -- Neil Schwartzman Director, Accreditation Standards Security Sender Score Certified | Sender Score Safelist Return Path Inc. 0142002038