Re: Can't keep up with spam from SolarVPS sites
On 06/10/2014 12:17 AM, Philip Prindeville wrote: nope... wiht robldnsd you set your BL zone to use the ip4trie dataset which as perhttp://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html ip4trie Dataset Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset is similar to ip4set, but uses a different internal representation. It accepts CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT values on a per CIDR range basis. (If multiple CIDR ranges match a query, the value for longest matching prefix is returned.) Exclusions are supported too. Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t able to infer this from the documentation you pointed at. no idea... I don't use Bind. rbldnsd (the industry standard) is way more efficient and lightweight designed especially for dnsbl usage.
Re: Can't keep up with spam from SolarVPS sites
On Tue, 10 Jun 2014, Axb wrote:
On 06/10/2014 12:17 AM, Philip Prindeville wrote:
nope... wiht robldnsd you set your BL zone to use the ip4trie
dataset
which as perhttp://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html
ip4trie Dataset Set of IP4 CIDR ranges with corresponding (A,
TXT) values. This dataset is similar to ip4set, but uses a
different internal representation. It accepts CIDR ranges only
(not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT
values on a per CIDR range basis. (If multiple CIDR ranges match
a query, the value for longest matching prefix is returned.)
Exclusions are supported too.
Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t
able to infer this from the documentation you pointed at.
no idea... I don't use Bind.
rbldnsd (the industry standard) is way more efficient and lightweight
designed especially for dnsbl usage.
BIND always breaks its reverse maps on class /C octet boundaries so to
represent 65.181.64.0/18 you'd have to utilize 64 class /C zones.
Having run a RBL with BIND and then moved to rbldnsd, I agree completely
with Axb. rbldnsd -is- the way to go. If you need the power and configurability
of BIND, then put it in front of rbldnsd, but use rbldnsd for the actual zone
data.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
On 6/7/2014 3:31 AM, David B Funk wrote: This does require some baby-sitting as it will get traffic that is the results of a real human fat-fingering a legit recipient. Perhaps use just subdomains then? Such as venusflyt...@invalid.uiowa.edu to eliminate the risk of legit fat-fingered email. Regards, KAM
Re: Can't keep up with spam from SolarVPS sites
On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote:
If you have to post a spam sample, pls use pastebin and post the full msg
On 06/06/2014 11:32 PM, Philip Prindeville wrote:
We’re getting a lot of spam that contains URL’s which look like (remove the
):
http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
Some observations… The URL’s should be fairly easy to filter against via a
regex. Anyone have some working rules they could share?
Pls note than any rule shared via lists usually looses its teeth within a few
hours .-)
Well, it depends on the nature of the rule… Some characteristics are less
fungible than others.
The other thing is, the URL is almost always hosted by solarvps.com, in the
CIDR block 65.181.64.0/18.
Is there an easy way to do a domain lookup on the host portion of the URL
and then filter it if it’s in this subnet?
Yes, there is:
run a local A record blacklist with rbldnsd
65.181.64.0/18
and a rule like, for example:
uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
body YOUR_A_URIBLeval:check_uridnsbl('YOUR_A_URIBL')
describe YOUR_A_URIBLURL domain A rec listed by YOUR_A_URIBL
score YOUR_A_URIBL 5.0
tflags YOUR_A_URIBL net a
If I used local A records, for a /18 network, I’d need all 2^14 records, right?
Because a lookup is always on a full dotted-quad (in reverse order)…
I tried using multi.uribl.com and couldn’t get this to work.
I had:
urirhssub L_URIBL_BLACK multi.uribl.com. A 2
body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK')
describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist
tflags L_URIBL_BLACKnet
score L_URIBL_BLACK 20.0
set, and also:
skip_rbl_checks 0
at the end of /etc/mail/spamassassin/sa-mimedefang.cf set.
Running this over the message in a file:
spamassassin -t --lint -D /tmp/cable.eml
I get:
…
Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests
Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5
Jun 9 14:57:13.032 [32297] dbg: check:
tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS
Jun 9 14:57:13.032 [32297] dbg: check:
subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID
Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%),
parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%), get_uri_detail_list:
1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen: 202 (10.6%), compile_eval:
37 (1.9%), tests_pri_-950: 6 (0.3%), tests_pri_-900: 7 (0.4%), tests_pri_-400:
6 (0.3%), tests_pri_0: 404 (21.2%), tests_pri_500: 75 (3.9%)
so I’m not sure why it’s failing to find nqtel.com in the uribl.com database.
What am I missing?
-Philip
Re: Can't keep up with spam from SolarVPS sites
On 06/09/2014 11:03 PM, Philip Prindeville wrote:
On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote:
If you have to post a spam sample, pls use pastebin and post the full msg
On 06/06/2014 11:32 PM, Philip Prindeville wrote:
We’re getting a lot of spam that contains URL’s which look like (remove the
):
http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
Some observations… The URL’s should be fairly easy to filter against via a
regex. Anyone have some working rules they could share?
Pls note than any rule shared via lists usually looses its teeth within a few
hours .-)
Well, it depends on the nature of the rule… Some characteristics are less
fungible than others.
The other thing is, the URL is almost always hosted by solarvps.com, in the
CIDR block 65.181.64.0/18.
Is there an easy way to do a domain lookup on the host portion of the URL and
then filter it if it’s in this subnet?
Yes, there is:
run a local A record blacklist with rbldnsd
65.181.64.0/18
and a rule like, for example:
uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL')
describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL
score YOUR_A_URIBL 5.0
tflags YOUR_A_URIBL net a
If I used local A records, for a /18 network, I’d need all 2^14 records, right?
Because a lookup is always on a full dotted-quad (in reverse order)…
nope... wiht robldnsd you set your BL zone to use the ip4trie dataset
which as per http://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html
ip4trie Dataset
Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset
is similar to ip4set, but uses a different internal representation. It
accepts CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the
specification of A/TXT values on a per CIDR range basis. (If multiple
CIDR ranges match a query, the value for longest matching prefix is
returned.) Exclusions are supported too.
I tried using multi.uribl.com and couldn’t get this to work.
I had:
urirhssub L_URIBL_BLACK multi.uribl.com. A 2
body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK')
describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist
tflags L_URIBL_BLACKnet
score L_URIBL_BLACK 20.0
URIBL is enabled by default in SA - no need to add extra rules.
set, and also:
skip_rbl_checks 0
at the end of /etc/mail/spamassassin/sa-mimedefang.cf set.
Running this over the message in a file:
spamassassin -t --lint -D /tmp/cable.eml
I get:
…
Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests
Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5
Jun 9 14:57:13.032 [32297] dbg: check:
tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS
Jun 9 14:57:13.032 [32297] dbg: check:
subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID
Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%),
parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%), get_uri_detail_list:
1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen: 202 (10.6%), compile_eval:
37 (1.9%), tests_pri_-950: 6 (0.3%), tests_pri_-900: 7 (0.4%), tests_pri_-400:
6 (0.3%), tests_pri_0: 404 (21.2%), tests_pri_500: 75 (3.9%)
so I’m not sure why it’s failing to find nqtel.com in the uribl.com database.
What am I missing?
--lint doesn't do network tests
Re: Can't keep up with spam from SolarVPS sites
On Jun 9, 2014, at 3:10 PM, Axb axb.li...@gmail.com wrote:
On 06/09/2014 11:03 PM, Philip Prindeville wrote:
On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote:
If you have to post a spam sample, pls use pastebin and post the full msg
On 06/06/2014 11:32 PM, Philip Prindeville wrote:
We’re getting a lot of spam that contains URL’s which look like (remove
the ):
http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
Some observations… The URL’s should be fairly easy to filter against via a
regex. Anyone have some working rules they could share?
Pls note than any rule shared via lists usually looses its teeth within a
few hours .-)
Well, it depends on the nature of the rule… Some characteristics are less
fungible than others.
BTW, I found that the last N characters of the above URL’s were always the
same, and tried to do a “body” rule based on those last N characters, but I
couldn’t get the rule to match.
Still not sure why. The entire a ... sequence is only 382 characters long.
Any ideas?
The other thing is, the URL is almost always hosted by solarvps.com, in
the CIDR block 65.181.64.0/18.
Is there an easy way to do a domain lookup on the host portion of the URL
and then filter it if it’s in this subnet?
Yes, there is:
run a local A record blacklist with rbldnsd
65.181.64.0/18
and a rule like, for example:
uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL')
describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL
score YOUR_A_URIBL 5.0
tflags YOUR_A_URIBL net a
If I used local A records, for a /18 network, I’d need all 2^14 records,
right?
Because a lookup is always on a full dotted-quad (in reverse order)…
nope... wiht robldnsd you set your BL zone to use the ip4trie dataset
which as per http://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html
ip4trie Dataset
Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset is
similar to ip4set, but uses a different internal representation. It accepts
CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the specification of
A/TXT values on a per CIDR range basis. (If multiple CIDR ranges match a
query, the value for longest matching prefix is returned.) Exclusions are
supported too.
Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t able to
infer this from the documentation you pointed at.
I tried using multi.uribl.com and couldn’t get this to work.
I had:
urirhssub L_URIBL_BLACK multi.uribl.com. A 2
body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK')
describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist
tflags L_URIBL_BLACKnet
score L_URIBL_BLACK 20.0
URIBL is enabled by default in SA - no need to add extra rules.
set, and also:
skip_rbl_checks 0
at the end of /etc/mail/spamassassin/sa-mimedefang.cf set.
Running this over the message in a file:
spamassassin -t --lint -D /tmp/cable.eml
I get:
…
Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests
Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5
Jun 9 14:57:13.032 [32297] dbg: check:
tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS
Jun 9 14:57:13.032 [32297] dbg: check:
subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID
Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%),
parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%),
get_uri_detail_list: 1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen:
202 (10.6%), compile_eval: 37 (1.9%), tests_pri_-950: 6 (0.3%),
tests_pri_-900: 7 (0.4%), tests_pri_-400: 6 (0.3%), tests_pri_0: 404
(21.2%), tests_pri_500: 75 (3.9%)
so I’m not sure why it’s failing to find nqtel.com in the uribl.com database.
What am I missing?
--lint doesn't do network tests
Okay, taking out --lint changed the results.
Thanks,
-Philip
Re: Can't keep up with spam from SolarVPS sites
On Mon, 9 Jun 2014, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol BTW, I found that the last N characters of the above URL’s were always the same, and tried to do a “body” rule based on those last N characters, but I couldn’t get the rule to match. Still not sure why. The entire a ... sequence is only 382 characters long. Any ideas? If it's in an HTML anchor tag the URL itself isn't in the body text, only the display label will be. Try a uri rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: Can't keep up with spam from SolarVPS sites
On Jun 9, 2014, at 4:25 PM, John Hardin jhar...@impsec.org wrote:
On Mon, 9 Jun 2014, Philip Prindeville wrote:
http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
If it's in an HTML anchor tag the URL itself isn't in the body text, only
the display label will be.
Try a uri rule.
This URL is already in my AC_SPAMMY_URI template group, though I don't know
if this particular one has been released or not (I never sent an update since
the first batch a few months ago), and even if so the current version would not
have caught it due to being a bit too restrictive.
Try this:
uri __AC_LONGSTRS_URI /\/[0-9]{8}(?:\/[a-z0-9_~]{50,}){3}\b/
Score as desired (I assign 3 points to all AC_SPAMMY_URI templates, but the
released ones score differently).
--- Amir
Re: Can't keep up with spam from SolarVPS sites
On Mon, 9 Jun 2014, Amir Caspi wrote:
On Jun 9, 2014, at 4:25 PM, John Hardin jhar...@impsec.org wrote:
On Mon, 9 Jun 2014, Philip Prindeville wrote:
http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
If it's in an HTML anchor tag the URL itself isn't in the body text, only the
display label will be.
Try a uri rule.
This URL is already in my AC_SPAMMY_URI template group, though I don't know
if this particular one has been released or not (I never sent an update since the first
batch a few months ago), and even if so the current version would not have caught it due
to being a bit too restrictive.
Try this:
uri __AC_LONGSTRS_URI /\/[0-9]{8}(?:\/[a-z0-9_~]{50,}){3}\b/
Score as desired (I assign 3 points to all AC_SPAMMY_URI templates, but the
released ones score differently).
--- Amir
Just beware of FPs, I've seen some ugly URLs from things like airline
reservation confirmations. (spammers are getting better at stealing
features from legit messages to protect their garbage).
Also be aware that you cannot set the score for the rule __AC_LONGSTRS_URI
at all (as it's an indirect rule and thus scoreless), you'll either
have to rename it or use it in a meta rule.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
On Jun 9, 2014, at 4:25 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol BTW, I found that the last N characters of the above URL’s were always the same, and tried to do a “body” rule based on those last N characters, but I couldn’t get the rule to match. Still not sure why. The entire a ... sequence is only 382 characters long. Any ideas? If it's in an HTML anchor tag the URL itself isn't in the body text, only the display label will be. Try a uri rule. Thanks, that did it. -Philip
Re: Can't keep up with spam from SolarVPS sites
On Jun 9, 2014, at 7:11 PM, David B Funk dbf...@engineering.uiowa.edu wrote: Just beware of FPs, I've seen some ugly URLs from things like airline reservation confirmations. (spammers are getting better at stealing features from legit messages to protect their garbage). FWIW, I haven't had a single FP on that or any of my other AC rules... but, that's only been tested on ham and spam for myself and my limited user base. An FP could, in principle, happen. Also be aware that you cannot set the score for the rule __AC_LONGSTRS_URI at all (as it's an indirect rule and thus scoreless), you'll either have to rename it or use it in a meta rule. Indeed, I use this as part of a meta for AC_SPAMMY_URIs, so if you're using it standalone, remove the underscores. --- Amir
Re: Can't keep up with spam from SolarVPS sites
On Fri, 6 Jun 2014, lucas k wrote:
I'm having the exact opposite problem. I've created several new addresses
that i'm hoping to get clogged up with spam so that I can have a fluid target
to write rules against, but so far... nothing.
craig@dioxidized, where i posted a bunch of ads on craigslist with the
address exposed has not gotten anyhting in 48 hours.
red@dioxidized, where teh same thing was done on reddit, nothing.
posted a few addresses in pastebin in hopes that bots might find them
So, does anyone have any idea how to get a freshly made email address to get
clogged with spam in the shortest amount of time?
Many thanks!
Oh, and just joining the list, glad to see that there's a community here!
Lucas
Put some hidden 'mailto:' links on pages on a web-site that is regularly
crawled (IE 'mailto:'s that have no label so human visitors won't see them).
If you have control over the mailserver for a small business set up a
'luser_relay' to collect messages to invalid recipients. This does require
some baby-sitting as it will get traffic that is the results of a real human
fat-fingering a legit recipient.
The absolute best method that I've found is to respond to the unsubscribe
links in spam but fill in your spam-trap address to be unsubscribed.
Sometimes that method will get results within a few hours, some of my
spam-trap addresses are still getting traffic 10 -years- after being
unsubscribed.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
On 06/07/2014 02:36 AM, Philip Prindeville wrote: On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg Here’s a prototype: http://ur1.ca/hgxkx This is just the generic daily snowshoe type of spam. One or more URIBLs detects them. The kind of stuff which so often comes from EONIX/HOSTWINDS/COLOCROSSING/etc networks. woeno.com listed on black.uribl.com woeno.com listed on jp.surbl.org woeno.com listed on uri.invaluement.com As your sample does not show a SA report, hard to tell if it hit SURBL's JP or URIBL_BLACK (uri.invaluement.com is not a public list)
Re: Can't keep up with spam from SolarVPS sites
On 06/07/2014 02:02 AM, Karsten Bräckelmann wrote: On Fri, 2014-06-06 at 23:50 +0200, Axb wrote: [...] Anyone have some working rules they could share? Pls note than any rule shared via lists usually looses its teeth within a few hours .-) Sorry, that's incorrect. The SA commits mailing list is not code only, but includes rules/ and sandbox/ commits. and how many 'public static rules detect snowshoe spam? it's closer to zero than anything else. Pillz/replica/etc (the usual bot stuff) holds better against static pattern rules. Moreover, even by a very long stretch of few hours, no regex or general pattern based rule older than a year could possibly match today's spam. That species exists, though. That we know.. which is why autogenerated SOUGHT_ like rules are so useful. With the lates waves of hacked site spam, there's hardly any static patterns . Thanks to a nicely fed Bayes DB and fast acting IP/URI lists the stuff stays under control.
Re: Can't keep up with spam from SolarVPS sites
On 06/07/2014 04:34 AM, lucas k wrote: So, does anyone have any idea how to get a freshly made email address to get clogged with spam in the shortest amount of time? It always depends what kind of spam you want to attract. Spam traps are like good wine, they need to age. Google around and you'll find lots of methods. a handful of freshly made email address won't instantly solve your problem - you may need tens/hundreds/or_more domains to give you a wide enough scope of spam types to avoid duplicating efforts. You need patience and creativity. Different methods attract different spammers.
Can't keep up with spam from SolarVPS sites
We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ihnyc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ieato.com/whos/be2aaf2163fd72c9975ec76b00288831 http://cp.mk-kbcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f http://ifspc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://niggu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? Thanks, -Philip
Re: Can't keep up with spam from SolarVPS sites
If you have to post a spam sample, pls use pastebin and post the full msg
On 06/06/2014 11:32 PM, Philip Prindeville wrote:
We’re getting a lot of spam that contains URL’s which look like (remove the
):
http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
Some observations… The URL’s should be fairly easy to filter against via a
regex. Anyone have some working rules they could share?
Pls note than any rule shared via lists usually looses its teeth within
a few hours .-)
The other thing is, the URL is almost always hosted by solarvps.com, in the
CIDR block 65.181.64.0/18.
Is there an easy way to do a domain lookup on the host portion of the URL and
then filter it if it’s in this subnet?
Yes, there is:
run a local A record blacklist with rbldnsd
65.181.64.0/18
and a rule like, for example:
uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL')
describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL
score YOUR_A_URIBL 5.0
tflags YOUR_A_URIBL net a
Re: Can't keep up with spam from SolarVPS sites
On Fri, 6 Jun 2014, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ihnyc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ieato.com/whos/be2aaf2163fd72c9975ec76b00288831 http://cp.mk-kbcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f http://ifspc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://niggu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? While URL with long string of gibberish is a reliable sign for tracking it's not a reliable sign for spam. A lot of legitimate mailing lists and newsletters and such have similar URLs. The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? You could set up a local authoritative DNS zone for a DNSBL, put the IP ranges into it, and add a URIDNSBL check rule pointing at your DNS server as the DNSBL host, but I don't think there's a way to do it by putting a netblock explicitly into a rule. That seems to me like a plausible extension of the URIDNSBL plugin, but it would be a pain to maintain the rules. Setting up a local DNSBL would be better in the long run, I think. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The more you believe you can create heaven on earth the more likely you are to set up guillotines in the public square to hasten the process. -- James Lileks --- Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
On Fri, 2014-06-06 at 23:50 +0200, Axb wrote:
[...] Anyone have some working rules they could share?
Pls note than any rule shared via lists usually looses its teeth within
a few hours .-)
Sorry, that's incorrect. The SA commits mailing list is not code only,
but includes rules/ and sandbox/ commits.
Moreover, even by a very long stretch of few hours, no regex or
general pattern based rule older than a year could possibly match
today's spam. That species exists, though.
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg Here’s a prototype: http://ur1.ca/hgxkx
Re: Can't keep up with spam from SolarVPS sites
On Fri, 2014-06-06 at 18:36 -0600, Philip Prindeville wrote:
On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote:
If you have to post a spam sample, pls use pastebin and post the full msg
Here’s a prototype:
http://ur1.ca/hgxkx
That Return-Path really sticks out. It's basically the From: address
with embedded To: address. Spaces added for convenience.
CamelCasedPayload - user=recipient.net @ example.com
Depending on the number of individual recipient addresses, there are
multiple approaches for rules possible. Matching a specific target
address, including the whole domain, or even seriously complex rules
also taking the From: header into account.
In either case, be careful to NOT simply match your address embedded
like that, because that's close to how mailing-lists do it. Compare this
message's Return-Path.
The following rule (beware, entirely untested) would match that pattern.
A camel-cased string, hyphen, email address with equal sign substituted
for @, followed by @ (and an arbitrary domain).
header CAMEL_CASE Return-Path:addr =~
/^(?:[A-Z][a-z]+){3,}-user=recipient\.net@/
You will of course have to substitute your address. If there are
multiple valid user names, you could use something like /[a-z]+/ instead
of an actual user name.
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
On Sat, 7 Jun 2014, Karsten Bräckelmann wrote:
On Fri, 2014-06-06 at 18:36 -0600, Philip Prindeville wrote:
On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote:
If you have to post a spam sample, pls use pastebin and post the full msg
Here’s a prototype:
http://ur1.ca/hgxkx
That Return-Path really sticks out. It's basically the From: address
with embedded To: address.
The following rule (beware, entirely untested) would match that pattern.
A camel-cased string, hyphen, email address with equal sign substituted
for @, followed by @ (and an arbitrary domain).
header CAMEL_CASE Return-Path:addr =~
/^(?:[A-Z][a-z]+){3,}-user=recipient\.net@/
You will of course have to substitute your address. If there are
multiple valid user names, you could use something like /[a-z]+/ instead
of an actual user name.
It would be possible to do a multiple-header rule with captures and
backreferences to capture the camel-case, destination email and source
domain parts and verify that the Return-Path+From+To header triplet
matches this pattern.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
When I say I don't want the government to do X, do not
automatically assume that means I don't want X to happen.
---
Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
On Fri, 2014-06-06 at 19:02 -0700, John Hardin wrote:
On Sat, 7 Jun 2014, Karsten Bräckelmann wrote:
That Return-Path really sticks out. It's basically the From: address
with embedded To: address.
It would be possible to do a multiple-header rule with captures and
backreferences to capture the camel-case, destination email and source
domain parts and verify that the Return-Path+From+To header triplet
matches this pattern.
I bet you by 2 minutes! ;)
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
On Sat, 7 Jun 2014, Karsten Bräckelmann wrote: On Fri, 2014-06-06 at 19:02 -0700, John Hardin wrote: On Sat, 7 Jun 2014, Karsten Bräckelmann wrote: That Return-Path really sticks out. It's basically the From: address with embedded To: address. It would be possible to do a multiple-header rule with captures and backreferences to capture the camel-case, destination email and source domain parts and verify that the Return-Path+From+To header triplet matches this pattern. I bet you by 2 minutes! ;) :-P -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We have to realize that people who run the government can and do change. Our society and laws must assume that bad people - criminals even - will run the government, at least part of the time. -- John Gilmore --- Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
I'm having the exact opposite problem. I've created several new addresses that i'm hoping to get clogged up with spam so that I can have a fluid target to write rules against, but so far... nothing. craig@dioxidized, where i posted a bunch of ads on craigslist with the address exposed has not gotten anyhting in 48 hours. red@dioxidized, where teh same thing was done on reddit, nothing. posted a few addresses in pastebin in hopes that bots might find them So, does anyone have any idea how to get a freshly made email address to get clogged with spam in the shortest amount of time? Many thanks! Oh, and just joining the list, glad to see that there's a community here! Lucas On 06/06/2014 05:32 PM, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ihnyc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ieato.com/whos/be2aaf2163fd72c9975ec76b00288831 http://cp.mk-kbcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f http://ifspc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://niggu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? Thanks, -Philip
Re: Can't keep up with spam from SolarVPS sites
On Fri, 2014-06-06 at 22:34 -0400, lucas k wrote:
I'm having the exact opposite problem. I've created several new
addresses that i'm hoping to get clogged up with spam so that I can have
a fluid target to write rules against, but so far... nothing.
craig@dioxidized, where i posted a bunch of ads on craigslist with the
address exposed has not gotten anyhting in 48 hours.
48 hours. No, I wouldn't expect spam in that short a time frame. Spam
(bot) networks need to pick up fresh addresses, distribute them, then
eventually use them.
I am still getting spam with addresses out-of-business for years. Most
spammers (especially botnet based) don't care for SMTP reject. Invalid
addressed rarely phase out.
Adding new addresses might take time, too. First, they need to be
discovered. (Who told you spammers are specifically harvesting
craigslist?) Then, the new addresses need to be distributed for bots to
actually use them.
I am *still* getting Mydoom virus infected messages. What does that tell
you about blackhats and being up-to-date?
So, does anyone have any idea how to get a freshly made email address to
get clogged with spam in the shortest amount of time?
If the domain is not fresh and there are users getting spam, a catch-all
address could help. You will even see spam to thisisjusttest@.
However, legitimate senders will NOT be informed, in case they mis-typed
the recipient address. Even worse, that mail would end up in your
catch-all bin. Use with care.
Many thanks!
Oh, and just joining the list, glad to see that there's a community here!
There is indeed. I recommend active lurking, lots of good advice,
hints and education, even if not (yet) perceived as a personal issue.
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
