Re: Bizarre and seemingly pointless spams
On Tue, 04 Jun 2013 00:23:33 +0200 Axb axb.li...@gmail.com wrote: Dave sells boxes - if a client needs more resources, Dave will happily sell him more boxes .-) :) Actually, we don't sell boxes. We sell ISO images. Anyway, the cost of hardware is relatively cheap and it's a one-time cost (or maybe a once-every-five-years cost). RBL subscriptions are annual and quite expensive, IMO. Regards, David.
Re: Bizarre and seemingly pointless spams
David B Funk skrev den 2013-06-03 21:34: Why not just block connections from infected PCs? pbl is not infected, its spamhaus dynamic ips that do not send mail direct to mx, this list is splitted into 2, one of them is isp managed, and the other is spamhaus managed, whetter or not the content is virus or spam is undefined but remember David like to CanIT :=) -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Bizarre and seemingly pointless spams
David B Funk skrev den 2013-06-03 23:02: Maybe the lack of Received: headers could be used as the basis for an SA rule. How many legit MTAs are there that don't add Received: headers? Hopefully none. imho all mta add atleast one last recieved header, this part cant be abused of spammers, but there is badly writed milters that dont see client ips, this might not be mta fault, but mostly is -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Bizarre and seemingly pointless spams
Dave Warren skrev den 2013-06-03 23:45: Unless you run submitted outbound mail through SpamAssassin, in which case you could expect a VERY high false positive rate. While SpamAssassin isn't fantastic for this particular role, it can help you catch compromised accounts/systems before they spew too much. if outbound is spam its spam, if outbound is ham, learn it as ham, will benefit on content wanted back, but maybe i am the only one see it as so ? You could probably mitigate this with one of the trusted type lists that SpamAssassin uses though, if the rule were well written. its basicly the same as postfix script what email addresse is sent to, that skip sender blocking on return, just here its bayes not knowing what senders is ham learned since it does not see it -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Bizarre and seemingly pointless spams
John Hardin skrev den 2013-06-04 00:22: Suggestions for likely combinations are welcome, but at this time the masscheck corpora only show less than 5% direct-to-MX spam vs. 20% ham. Whether that's an indication that spambots are in a lull or the corpora doesn't represent actual spam reality well is unclear. well i dont like to start a war, but most sender ips does not have a mx that accept mail back to the same ip, postfix reject_unverified_sender is good test to see bots that thinks it works :) -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Bizarre and seemingly pointless spams
John Hardin skrev den 2013-06-04 00:22: Suggestions for likely combinations are welcome, but at this time the masscheck corpora only show less than 5% direct-to-MX spam vs. 20% ham. Whether that's an indication that spambots are in a lull or the corpora doesn't represent actual spam reality well is unclear. On 04.06.13 13:34, Benny Pedersen wrote: well i dont like to start a war, but most sender ips does not have a mx that accept mail back to the same ip, postfix reject_unverified_sender is good test to see bots that thinks it works :) note that many servers consider sender address verification as abuse. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Two words: Windows survives. - Craig Mundie, Microsoft senior strategist So does syphillis. Good thing we have penicillin. - Matthew Alton
Re: Bizarre and seemingly pointless spams
David B Funk skrev den 2013-06-03 23:02: Maybe the lack of Received: headers could be used as the basis for an SA rule. How many legit MTAs are there that don't add Received: headers? Hopefully none. On 04.06.13 13:26, Benny Pedersen wrote: imho all mta add atleast one last recieved header, this part cant be abused of spammers, but there is badly writed milters that dont see client ips, this might not be mta fault, but mostly is some do but after milters are checked. That's why e.g. sa-milter must fake Received: headers when passing the mail to spamassassin. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: Bizarre and seemingly pointless spams
Matus UHLAR - fantomas skrev den 2013-06-04 15:19: note that many servers consider sender address verification as abuse. if thay do, feel free to block it, no recipient will see problem doing so note that i do spf test before sender address verification, that way i keep it low abuse, if you like that word -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Sender address verification (was Re: Bizarre and seemingly pointless spams)
On Tue, 04 Jun 2013 15:32:17 +0200 Benny Pedersen m...@junc.eu wrote: Matus UHLAR - fantomas skrev den 2013-06-04 15:19: note that many servers consider sender address verification as abuse. note that i do spf test before sender address verification, that way i keep it low abuse, if you like that word Even so, sender address verification won't work against the majority of Microsoft Exchange servers: http://david.skoll.ca/blog/2010-12-29-microsoft-dumbness.html Regards, David.
Re: Bizarre and seemingly pointless spams
Matus UHLAR - fantomas skrev den 2013-06-04 15:20: some do but after milters are checked. That's why e.g. sa-milter must fake Received: headers when passing the mail to spamassassin. basicly yes, but why not test client ip rbl in mta stage ?- sa-milter is one milter that is basicly brokken, it just contains a workaround, spampd does not need any workaround -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Sender address verification (was Re: Bizarre and seemingly pointless spams)
David F. Skoll skrev den 2013-06-04 15:34: On Tue, 04 Jun 2013 15:32:17 +0200 Benny Pedersen m...@junc.eu wrote: Matus UHLAR - fantomas skrev den 2013-06-04 15:19: note that many servers consider sender address verification as abuse. note that i do spf test before sender address verification, that way i keep it low abuse, if you like that word Even so, sender address verification won't work against the majority of Microsoft Exchange servers: http://david.skoll.ca/blog/2010-12-29-microsoft-dumbness.html https://dmarcian.com/spf-survey/microsoft.com one day it works :) Regards, David. -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Bizarre and seemingly pointless spams
Matus UHLAR - fantomas skrev den 2013-06-04 15:20: some do but after milters are checked. That's why e.g. sa-milter must fake Received: headers when passing the mail to spamassassin. On 04.06.13 15:35, Benny Pedersen wrote: basicly yes, but why not test client ip rbl in mta stage ? what does this have in common with Received: headers? If the mail is rejected, there's no point in further filtering. According to my information the point is that milter can see the mail before the mail is changed in any way. - sa-milter is one milter that is basicly brokken, it just contains a workaround, spampd does not need any workaround besically broken in what way? That it fakes Received: header so the mail can be processed with SA without SA hacks? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: Bizarre and seemingly pointless spams
Matus UHLAR - fantomas skrev den 2013-06-04 16:13: besically broken in what way? That it fakes Received: header so the mail can be processed with SA without SA hacks? milter api is, milters just test what is in milter api, so error is design in milter api not in sendmail mta / postfix mta, thats why its faked in sa-milter as a workaround, but what does sa-milter do that spamassassin cant fake self ?, its time for libmilter fixing on that fake, its just not needed since the fake still works it would be better if libmilter api did the fake recieved so all milters get consistense -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
libmilter policy (was Re: Bizarre and seemingly pointless spams)
On Tue, 04 Jun 2013 16:43:17 +0200 Benny Pedersen m...@junc.eu wrote: it would be better if libmilter api did the fake recieved so all milters get consistense No. Individual milters should decide whether or not they need to fake a Received: header. It's not a policy that should be imposed by libmilter; libmilter shows the milters *exactly* what was received on the wire and nothing more. This is perfectly consistent. Regards, David.
Re: Bizarre and seemingly pointless spams
On 6/2/2013 at 12:30 PM, Wolfgang Zeikat wolfgang.zei...@desy.de wrote: In an older episode, on 2013-06-02 16:16, David F. Skoll wrote: 3) Envelope sender is in the nacha.org domain 2 days ago, we received hundreds of mails with that envelope sender domain containing malware like Case_05312013_28192.exe extracted from the attachment Case_3375975.zip And currently, hundreds of mails with said sender domain are being rejected here due to RBLs. Regards, wolfgang What's interesting to me is that nacha is the standards (my term) association (www.nacha.org) for ach (the automated check clearing house) which does such things as direct deposit and other transactions. They offer ab...@nacha.org joe a.
Re: Bizarre and seemingly pointless spams
On 06/03/2013 12:04 PM, Joe Acquisto-j4 wrote: On 6/2/2013 at 12:30 PM, Wolfgang Zeikat wolfgang.zei...@desy.de wrote: In an older episode, on 2013-06-02 16:16, David F. Skoll wrote: 3) Envelope sender is in the nacha.org domain 2 days ago, we received hundreds of mails with that envelope sender domain containing malware like Case_05312013_28192.exe extracted from the attachment Case_3375975.zip And currently, hundreds of mails with said sender domain are being rejected here due to RBLs. Regards, wolfgang What's interesting to me is that nacha is the standards (my term) association (www.nacha.org) for ach (the automated check clearing house) which does such things as direct deposit and other transactions. They offer ab...@nacha.org joe a. As they're all using forged senders/HELOs, pretty pointless to hammer an abuse@ desk with such issues. It's not Nacha spamming...
Re: Bizarre and seemingly pointless spams
On 6/3/2013 at 6:08 AM, Axb axb.li...@gmail.com wrote: On 06/03/2013 12:04 PM, Joe Acquisto-j4 wrote: On 6/2/2013 at 12:30 PM, Wolfgang Zeikat wolfgang.zei...@desy.de wrote: In an older episode, on 2013-06-02 16:16, David F. Skoll wrote: 3) Envelope sender is in the nacha.org domain 2 days ago, we received hundreds of mails with that envelope sender domain containing malware like Case_05312013_28192.exe extracted from the attachment Case_3375975.zip And currently, hundreds of mails with said sender domain are being rejected here due to RBLs. Regards, wolfgang What's interesting to me is that nacha is the standards (my term) association (www.nacha.org) for ach (the automated check clearing house) which does such things as direct deposit and other transactions. They offer ab...@nacha.org joe a. As they're all using forged senders/HELOs, pretty pointless to hammer an abuse@ desk with such issues. It's not Nacha spamming... Right. Just thought they might want to take action on their own based on some samples. Still early where I am. joe a.
Re: Bizarre and seemingly pointless spams
On 06/03/2013 12:04 PM, Joe Acquisto-j4 wrote: What's interesting to me is that nacha is the standards (my term) association (www.nacha.org) for ach (the automated check clearing house) which does such things as direct deposit and other transactions. On 03.06.13 12:08, Axb wrote: As they're all using forged senders/HELOs, pretty pointless to hammer an abuse@ desk with such issues. It's not Nacha spamming... you should look at Received: headers to see who passed the mail to you and complain to abuse@ there. If the mail came from nacha.org, the ab...@nacha.org is the right place to send complaints.. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: Bizarre and seemingly pointless spams
On Mon, 3 Jun 2013 14:28:36 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: you should look at Received: headers to see who passed the mail to you and complain to abuse@ there. If the mail came from nacha.org, the ab...@nacha.org is the right place to send complaints.. There were no Received: headers in my samples. They were directly injected by compromised Windows boxes. Regards, David.
Re: Bizarre and seemingly pointless spams
David F. Skoll skrev den 2013-06-03 14:52: There were no Received: headers in my samples. They were directly injected by compromised Windows boxes. and your own mta will not add one ? :) hmp! -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Bizarre and seemingly pointless spams
On Mon, 03 Jun 2013 15:08:55 +0200 Benny Pedersen m...@junc.eu wrote: [DFS says no Received: headers] and your own mta will not add one ? :) My MTA will add a header if I let it relay the mail. These messages were intercepted and stopped as they came in, so I see whatever headers they had *at the time they came in via SMTP.* Regards, David.
Re: Bizarre and seemingly pointless spams
On Mon, 3 Jun 2013 14:28:36 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: you should look at Received: headers to see who passed the mail to you and complain to abuse@ there. If the mail came from nacha.org, the ab...@nacha.org is the right place to send complaints.. On 03.06.13 08:52, David F. Skoll wrote: There were no Received: headers in my samples. They were directly injected by compromised Windows boxes. I believe you are able to track network admins of connecting IPs. Or, simply check theis rDNS (forward-confirmed) and contact abuse@delegated.domain... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: Bizarre and seemingly pointless spams
On Mon, 3 Jun 2013 16:11:28 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: I believe you are able to track network admins of connecting IPs. Or, simply check theis rDNS (forward-confirmed) and contact abuse@delegated.domain... Well yeah, but in the example I posted the machine 77.30.72.215 is a Windows box located in Dammam, Saudi Arabia. I suspect sending abuse reports to saudi.net.sa will not have much of an effect... I certainly don't have the time to follow up on more than 30 000 of these spams from thousands of different IP addresses. Most ISPs are lazy and don't take action against compromised customers. Regards, David.
Re: Bizarre and seemingly pointless spams
On Mon, 3 Jun 2013, David F. Skoll wrote:
On Mon, 3 Jun 2013 16:11:28 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
I believe you are able to track network admins of connecting IPs. Or,
simply check theis rDNS (forward-confirmed) and contact
abuse@delegated.domain...
Well yeah, but in the example I posted the machine 77.30.72.215 is a
Windows box located in Dammam, Saudi Arabia. I suspect sending abuse
reports to saudi.net.sa will not have much of an effect... I certainly
don't have the time to follow up on more than 30 000 of these spams
from thousands of different IP addresses.
Most ISPs are lazy and don't take action against compromised customers.
Do you not like connection-oriented RBLs? That client IP address is in
both cbl.abuseat.org pbl.spamhaus.org lists as an infected client.
Why not just block connections from infected PCs?
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Bizarre and seemingly pointless spams
On Mon, 3 Jun 2013 14:34:30 -0500 (CDT) David B Funk dbf...@engineering.uiowa.edu wrote: Do you not like connection-oriented RBLs? That client IP address is in both cbl.abuseat.org pbl.spamhaus.org lists as an infected client. We run an anti-spam service for about 100K users and sell appliances that filter for many more. Paying for RBLs is not cost-effective at that scale. Why not just block connections from infected PCs? Sure, we could. I just thought the spams were unusual and wondered if anyone knew the motivation behind them --- it's not that they were getting past our filters; I just found them curious. Regards, David.
Re: Bizarre and seemingly pointless spams
On Mon, 3 Jun 2013, David F. Skoll wrote:
On Mon, 3 Jun 2013 14:28:36 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
you should look at Received: headers to see who passed the mail to
you and complain to abuse@ there. If the mail came from nacha.org, the
ab...@nacha.org is the right place to send complaints..
There were no Received: headers in my samples. They were directly injected
by compromised Windows boxes.
Maybe the lack of Received: headers could be used as the basis for an SA rule.
How many legit MTAs are there that don't add Received: headers? Hopefully none.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Bizarre and seemingly pointless spams
On 2013-06-03 14:02, David B Funk wrote: On Mon, 3 Jun 2013, David F. Skoll wrote: On Mon, 3 Jun 2013 14:28:36 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: you should look at Received: headers to see who passed the mail to you and complain to abuse@ there. If the mail came from nacha.org, the ab...@nacha.org is the right place to send complaints.. There were no Received: headers in my samples. They were directly injected by compromised Windows boxes. Maybe the lack of Received: headers could be used as the basis for an SA rule. How many legit MTAs are there that don't add Received: headers? Hopefully none. Unless you run submitted outbound mail through SpamAssassin, in which case you could expect a VERY high false positive rate. While SpamAssassin isn't fantastic for this particular role, it can help you catch compromised accounts/systems before they spew too much. You could probably mitigate this with one of the trusted type lists that SpamAssassin uses though, if the rule were well written. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: Bizarre and seemingly pointless spams
Hi, Do you not like connection-oriented RBLs? That client IP address is in both cbl.abuseat.org pbl.spamhaus.org lists as an infected client. We run an anti-spam service for about 100K users and sell appliances that filter for many more. Paying for RBLs is not cost-effective at that scale. You aren't finding that it's just at the expense of requiring increased processing power on the servers themselves? For an individual small network with an appliance, it's probably not a big deal, but I would think it would take a couple of large systems to process 100k users without the benefit of an RBL like zen. Thanks, Alex
Re: Bizarre and seemingly pointless spams
On Mon, 3 Jun 2013, David B Funk wrote: On Mon, 3 Jun 2013, David F. Skoll wrote: There were no Received: headers in my samples. They were directly injected by compromised Windows boxes. Maybe the lack of Received: headers could be used as the basis for an SA rule. How many legit MTAs are there that don't add Received: headers? Hopefully none. There are already direct-to-MX subrules, and rules that use them in combination with other signs: http://ruleqa.spamassassin.org/?daterev=20130603-r1488897-nrule=%2FDIRECT Suggestions for likely combinations are welcome, but at this time the masscheck corpora only show less than 5% direct-to-MX spam vs. 20% ham. Whether that's an indication that spambots are in a lull or the corpora doesn't represent actual spam reality well is unclear. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Rights can only ever be individual, which means that you cannot gain a right by joining a mob, no matter how shiny the issued badges are, or how many of your neighbors are part of it. -- Marko --- 3 days until the 69th anniversary of D-Day
Re: Bizarre and seemingly pointless spams
On 06/03/2013 11:51 PM, Alex wrote: Hi, Do you not like connection-oriented RBLs? That client IP address is in both cbl.abuseat.org pbl.spamhaus.org lists as an infected client. We run an anti-spam service for about 100K users and sell appliances that filter for many more. Paying for RBLs is not cost-effective at that scale. You aren't finding that it's just at the expense of requiring increased processing power on the servers themselves? For an individual small network with an appliance, it's probably not a big deal, but I would think it would take a couple of large systems to process 100k users without the benefit of an RBL like zen. Dave sells boxes - if a client needs more resources, Dave will happily sell him more boxes .-)
Bizarre and seemingly pointless spams
Hi, Is anyone seeing a rash of spams with these characteristics? 1) Subject is RE: Hello 2) From: header is randomly-generated first_l...@somedomain.com 3) Envelope sender is in the nacha.org domain 4) SPF fails 5) Message body consists only of this: Im fine thanks , RandomFirstName 6) It seems to be injected directly from a compromised Windows box; our spam analysis is: Sending relay 77.30.72.215 appears to run Windows XP Sending relay 77.30.72.215 link type appears to be DSL 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS 5 SPF query returned 'fail' 0 DKIM query returned none (d=rsla.com) Custom Rule37:(1.2 points) relay contains [ 4.6 Originated from country-code SA Compound Rule 9 (Mail from Windows XP box): (1.0 points) Word: domain*nacha.org (0.990) Word: fine (0.990) Word: fine+thanks (0.990) Word: fpof*XP (0.990) Word: fpos*Windows (0.990) Word: fpos*Windows+XP (0.990) Word: gctld*SA+org (0.990) Word: gi*SA+06+Dammam (0.990) Word: s*Hello (0.990) Word: s*RE (0.990) Word: s*RE+Hello (0.990) Word: gr*SA+06 (0.981) Word: gl*26+50 (0.978) Word: fpos*Windows+XP+DSL (0.962) Word: Bryon (0.940) Can anyone guess what the point of these is? Regards, David.
Re: Bizarre and seemingly pointless spams
On Sun, Jun 02, 2013 at 10:16:56AM -0400, David F. Skoll wrote: Hi, Is anyone seeing a rash of spams with these characteristics? Similar waves occur from time to time. My guess (in order of sophistication): - someone's just not able to use their spam software - probing - bayes / awl poisoning - the attack is directed straight to your brains, just consuming time for thoughts about what this would be about (ok, that one is meta meta :-) never mind, it's junk anyway. -- Christian Recktenwald spamassassin-talk-d...@citecs.de
Re: Bizarre and seemingly pointless spams
In an older episode, on 2013-06-02 16:16, David F. Skoll wrote: 3) Envelope sender is in the nacha.org domain 2 days ago, we received hundreds of mails with that envelope sender domain containing malware like Case_05312013_28192.exe extracted from the attachment Case_3375975.zip And currently, hundreds of mails with said sender domain are being rejected here due to RBLs. Regards, wolfgang
