Re: Can't keep up with spam from SolarVPS sites
On 06/10/2014 12:17 AM, Philip Prindeville wrote: nope... wiht robldnsd you set your BL zone to use the ip4trie dataset which as perhttp://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html ip4trie Dataset Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset is similar to ip4set, but uses a different internal representation. It accepts CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT values on a per CIDR range basis. (If multiple CIDR ranges match a query, the value for longest matching prefix is returned.) Exclusions are supported too. Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t able to infer this from the documentation you pointed at. no idea... I don't use Bind. rbldnsd (the industry standard) is way more efficient and lightweight designed especially for dnsbl usage.
Re: Can't keep up with spam from SolarVPS sites
On Tue, 10 Jun 2014, Axb wrote: On 06/10/2014 12:17 AM, Philip Prindeville wrote: nope... wiht robldnsd you set your BL zone to use the ip4trie dataset which as perhttp://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html ip4trie Dataset Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset is similar to ip4set, but uses a different internal representation. It accepts CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT values on a per CIDR range basis. (If multiple CIDR ranges match a query, the value for longest matching prefix is returned.) Exclusions are supported too. Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t able to infer this from the documentation you pointed at. no idea... I don't use Bind. rbldnsd (the industry standard) is way more efficient and lightweight designed especially for dnsbl usage. BIND always breaks its reverse maps on class /C octet boundaries so to represent 65.181.64.0/18 you'd have to utilize 64 class /C zones. Having run a RBL with BIND and then moved to rbldnsd, I agree completely with Axb. rbldnsd -is- the way to go. If you need the power and configurability of BIND, then put it in front of rbldnsd, but use rbldnsd for the actual zone data. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
On 6/7/2014 3:31 AM, David B Funk wrote: This does require some baby-sitting as it will get traffic that is the results of a real human fat-fingering a legit recipient. Perhaps use just subdomains then? Such as venusflyt...@invalid.uiowa.edu to eliminate the risk of legit fat-fingered email. Regards, KAM
Re: Can't keep up with spam from SolarVPS sites
On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg On 06/06/2014 11:32 PM, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? Pls note than any rule shared via lists usually looses its teeth within a few hours .-) Well, it depends on the nature of the rule… Some characteristics are less fungible than others. The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? Yes, there is: run a local A record blacklist with rbldnsd 65.181.64.0/18 and a rule like, for example: uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2 body YOUR_A_URIBLeval:check_uridnsbl('YOUR_A_URIBL') describe YOUR_A_URIBLURL domain A rec listed by YOUR_A_URIBL score YOUR_A_URIBL 5.0 tflags YOUR_A_URIBL net a If I used local A records, for a /18 network, I’d need all 2^14 records, right? Because a lookup is always on a full dotted-quad (in reverse order)… I tried using multi.uribl.com and couldn’t get this to work. I had: urirhssub L_URIBL_BLACK multi.uribl.com. A 2 body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK') describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist tflags L_URIBL_BLACKnet score L_URIBL_BLACK 20.0 set, and also: skip_rbl_checks 0 at the end of /etc/mail/spamassassin/sa-mimedefang.cf set. Running this over the message in a file: spamassassin -t --lint -D /tmp/cable.eml I get: … Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5 Jun 9 14:57:13.032 [32297] dbg: check: tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS Jun 9 14:57:13.032 [32297] dbg: check: subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%), parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%), get_uri_detail_list: 1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen: 202 (10.6%), compile_eval: 37 (1.9%), tests_pri_-950: 6 (0.3%), tests_pri_-900: 7 (0.4%), tests_pri_-400: 6 (0.3%), tests_pri_0: 404 (21.2%), tests_pri_500: 75 (3.9%) so I’m not sure why it’s failing to find nqtel.com in the uribl.com database. What am I missing? -Philip
Re: Can't keep up with spam from SolarVPS sites
On 06/09/2014 11:03 PM, Philip Prindeville wrote: On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg On 06/06/2014 11:32 PM, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? Pls note than any rule shared via lists usually looses its teeth within a few hours .-) Well, it depends on the nature of the rule… Some characteristics are less fungible than others. The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? Yes, there is: run a local A record blacklist with rbldnsd 65.181.64.0/18 and a rule like, for example: uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2 body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL') describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL score YOUR_A_URIBL 5.0 tflags YOUR_A_URIBL net a If I used local A records, for a /18 network, I’d need all 2^14 records, right? Because a lookup is always on a full dotted-quad (in reverse order)… nope... wiht robldnsd you set your BL zone to use the ip4trie dataset which as per http://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html ip4trie Dataset Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset is similar to ip4set, but uses a different internal representation. It accepts CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT values on a per CIDR range basis. (If multiple CIDR ranges match a query, the value for longest matching prefix is returned.) Exclusions are supported too. I tried using multi.uribl.com and couldn’t get this to work. I had: urirhssub L_URIBL_BLACK multi.uribl.com. A 2 body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK') describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist tflags L_URIBL_BLACKnet score L_URIBL_BLACK 20.0 URIBL is enabled by default in SA - no need to add extra rules. set, and also: skip_rbl_checks 0 at the end of /etc/mail/spamassassin/sa-mimedefang.cf set. Running this over the message in a file: spamassassin -t --lint -D /tmp/cable.eml I get: … Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5 Jun 9 14:57:13.032 [32297] dbg: check: tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS Jun 9 14:57:13.032 [32297] dbg: check: subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%), parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%), get_uri_detail_list: 1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen: 202 (10.6%), compile_eval: 37 (1.9%), tests_pri_-950: 6 (0.3%), tests_pri_-900: 7 (0.4%), tests_pri_-400: 6 (0.3%), tests_pri_0: 404 (21.2%), tests_pri_500: 75 (3.9%) so I’m not sure why it’s failing to find nqtel.com in the uribl.com database. What am I missing? --lint doesn't do network tests
Re: Can't keep up with spam from SolarVPS sites
On Jun 9, 2014, at 3:10 PM, Axb axb.li...@gmail.com wrote: On 06/09/2014 11:03 PM, Philip Prindeville wrote: On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg On 06/06/2014 11:32 PM, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? Pls note than any rule shared via lists usually looses its teeth within a few hours .-) Well, it depends on the nature of the rule… Some characteristics are less fungible than others. BTW, I found that the last N characters of the above URL’s were always the same, and tried to do a “body” rule based on those last N characters, but I couldn’t get the rule to match. Still not sure why. The entire a ... sequence is only 382 characters long. Any ideas? The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? Yes, there is: run a local A record blacklist with rbldnsd 65.181.64.0/18 and a rule like, for example: uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2 body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL') describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL score YOUR_A_URIBL 5.0 tflags YOUR_A_URIBL net a If I used local A records, for a /18 network, I’d need all 2^14 records, right? Because a lookup is always on a full dotted-quad (in reverse order)… nope... wiht robldnsd you set your BL zone to use the ip4trie dataset which as per http://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html ip4trie Dataset Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset is similar to ip4set, but uses a different internal representation. It accepts CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT values on a per CIDR range basis. (If multiple CIDR ranges match a query, the value for longest matching prefix is returned.) Exclusions are supported too. Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t able to infer this from the documentation you pointed at. I tried using multi.uribl.com and couldn’t get this to work. I had: urirhssub L_URIBL_BLACK multi.uribl.com. A 2 body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK') describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist tflags L_URIBL_BLACKnet score L_URIBL_BLACK 20.0 URIBL is enabled by default in SA - no need to add extra rules. set, and also: skip_rbl_checks 0 at the end of /etc/mail/spamassassin/sa-mimedefang.cf set. Running this over the message in a file: spamassassin -t --lint -D /tmp/cable.eml I get: … Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5 Jun 9 14:57:13.032 [32297] dbg: check: tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS Jun 9 14:57:13.032 [32297] dbg: check: subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%), parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%), get_uri_detail_list: 1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen: 202 (10.6%), compile_eval: 37 (1.9%), tests_pri_-950: 6 (0.3%), tests_pri_-900: 7 (0.4%), tests_pri_-400: 6 (0.3%), tests_pri_0: 404 (21.2%), tests_pri_500: 75 (3.9%) so I’m not sure why it’s failing to find nqtel.com in the uribl.com database. What am I missing? --lint doesn't do network tests Okay, taking out --lint changed the results. Thanks, -Philip
Re: Can't keep up with spam from SolarVPS sites
On Mon, 9 Jun 2014, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol BTW, I found that the last N characters of the above URL’s were always the same, and tried to do a “body” rule based on those last N characters, but I couldn’t get the rule to match. Still not sure why. The entire a ... sequence is only 382 characters long. Any ideas? If it's in an HTML anchor tag the URL itself isn't in the body text, only the display label will be. Try a uri rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: Can't keep up with spam from SolarVPS sites
On Jun 9, 2014, at 4:25 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Philip Prindeville wrote: http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol If it's in an HTML anchor tag the URL itself isn't in the body text, only the display label will be. Try a uri rule. This URL is already in my AC_SPAMMY_URI template group, though I don't know if this particular one has been released or not (I never sent an update since the first batch a few months ago), and even if so the current version would not have caught it due to being a bit too restrictive. Try this: uri __AC_LONGSTRS_URI /\/[0-9]{8}(?:\/[a-z0-9_~]{50,}){3}\b/ Score as desired (I assign 3 points to all AC_SPAMMY_URI templates, but the released ones score differently). --- Amir
Re: Can't keep up with spam from SolarVPS sites
On Mon, 9 Jun 2014, Amir Caspi wrote: On Jun 9, 2014, at 4:25 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Philip Prindeville wrote: http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol If it's in an HTML anchor tag the URL itself isn't in the body text, only the display label will be. Try a uri rule. This URL is already in my AC_SPAMMY_URI template group, though I don't know if this particular one has been released or not (I never sent an update since the first batch a few months ago), and even if so the current version would not have caught it due to being a bit too restrictive. Try this: uri __AC_LONGSTRS_URI /\/[0-9]{8}(?:\/[a-z0-9_~]{50,}){3}\b/ Score as desired (I assign 3 points to all AC_SPAMMY_URI templates, but the released ones score differently). --- Amir Just beware of FPs, I've seen some ugly URLs from things like airline reservation confirmations. (spammers are getting better at stealing features from legit messages to protect their garbage). Also be aware that you cannot set the score for the rule __AC_LONGSTRS_URI at all (as it's an indirect rule and thus scoreless), you'll either have to rename it or use it in a meta rule. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
On Jun 9, 2014, at 4:25 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol BTW, I found that the last N characters of the above URL’s were always the same, and tried to do a “body” rule based on those last N characters, but I couldn’t get the rule to match. Still not sure why. The entire a ... sequence is only 382 characters long. Any ideas? If it's in an HTML anchor tag the URL itself isn't in the body text, only the display label will be. Try a uri rule. Thanks, that did it. -Philip
Re: Can't keep up with spam from SolarVPS sites
On Jun 9, 2014, at 7:11 PM, David B Funk dbf...@engineering.uiowa.edu wrote: Just beware of FPs, I've seen some ugly URLs from things like airline reservation confirmations. (spammers are getting better at stealing features from legit messages to protect their garbage). FWIW, I haven't had a single FP on that or any of my other AC rules... but, that's only been tested on ham and spam for myself and my limited user base. An FP could, in principle, happen. Also be aware that you cannot set the score for the rule __AC_LONGSTRS_URI at all (as it's an indirect rule and thus scoreless), you'll either have to rename it or use it in a meta rule. Indeed, I use this as part of a meta for AC_SPAMMY_URIs, so if you're using it standalone, remove the underscores. --- Amir
Re: Can't keep up with spam from SolarVPS sites
On Fri, 6 Jun 2014, lucas k wrote: I'm having the exact opposite problem. I've created several new addresses that i'm hoping to get clogged up with spam so that I can have a fluid target to write rules against, but so far... nothing. craig@dioxidized, where i posted a bunch of ads on craigslist with the address exposed has not gotten anyhting in 48 hours. red@dioxidized, where teh same thing was done on reddit, nothing. posted a few addresses in pastebin in hopes that bots might find them So, does anyone have any idea how to get a freshly made email address to get clogged with spam in the shortest amount of time? Many thanks! Oh, and just joining the list, glad to see that there's a community here! Lucas Put some hidden 'mailto:' links on pages on a web-site that is regularly crawled (IE 'mailto:'s that have no label so human visitors won't see them). If you have control over the mailserver for a small business set up a 'luser_relay' to collect messages to invalid recipients. This does require some baby-sitting as it will get traffic that is the results of a real human fat-fingering a legit recipient. The absolute best method that I've found is to respond to the unsubscribe links in spam but fill in your spam-trap address to be unsubscribed. Sometimes that method will get results within a few hours, some of my spam-trap addresses are still getting traffic 10 -years- after being unsubscribed. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
On 06/07/2014 02:36 AM, Philip Prindeville wrote: On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg Here’s a prototype: http://ur1.ca/hgxkx This is just the generic daily snowshoe type of spam. One or more URIBLs detects them. The kind of stuff which so often comes from EONIX/HOSTWINDS/COLOCROSSING/etc networks. woeno.com listed on black.uribl.com woeno.com listed on jp.surbl.org woeno.com listed on uri.invaluement.com As your sample does not show a SA report, hard to tell if it hit SURBL's JP or URIBL_BLACK (uri.invaluement.com is not a public list)
Re: Can't keep up with spam from SolarVPS sites
On 06/07/2014 02:02 AM, Karsten Bräckelmann wrote: On Fri, 2014-06-06 at 23:50 +0200, Axb wrote: [...] Anyone have some working rules they could share? Pls note than any rule shared via lists usually looses its teeth within a few hours .-) Sorry, that's incorrect. The SA commits mailing list is not code only, but includes rules/ and sandbox/ commits. and how many 'public static rules detect snowshoe spam? it's closer to zero than anything else. Pillz/replica/etc (the usual bot stuff) holds better against static pattern rules. Moreover, even by a very long stretch of few hours, no regex or general pattern based rule older than a year could possibly match today's spam. That species exists, though. That we know.. which is why autogenerated SOUGHT_ like rules are so useful. With the lates waves of hacked site spam, there's hardly any static patterns . Thanks to a nicely fed Bayes DB and fast acting IP/URI lists the stuff stays under control.
Re: Can't keep up with spam from SolarVPS sites
On 06/07/2014 04:34 AM, lucas k wrote: So, does anyone have any idea how to get a freshly made email address to get clogged with spam in the shortest amount of time? It always depends what kind of spam you want to attract. Spam traps are like good wine, they need to age. Google around and you'll find lots of methods. a handful of freshly made email address won't instantly solve your problem - you may need tens/hundreds/or_more domains to give you a wide enough scope of spam types to avoid duplicating efforts. You need patience and creativity. Different methods attract different spammers.
Can't keep up with spam from SolarVPS sites
We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ihnyc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ieato.com/whos/be2aaf2163fd72c9975ec76b00288831 http://cp.mk-kbcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f http://ifspc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://niggu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? Thanks, -Philip
Re: Can't keep up with spam from SolarVPS sites
If you have to post a spam sample, pls use pastebin and post the full msg On 06/06/2014 11:32 PM, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? Pls note than any rule shared via lists usually looses its teeth within a few hours .-) The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? Yes, there is: run a local A record blacklist with rbldnsd 65.181.64.0/18 and a rule like, for example: uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2 body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL') describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL score YOUR_A_URIBL 5.0 tflags YOUR_A_URIBL net a
Re: Can't keep up with spam from SolarVPS sites
On Fri, 6 Jun 2014, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ihnyc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ieato.com/whos/be2aaf2163fd72c9975ec76b00288831 http://cp.mk-kbcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f http://ifspc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://niggu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? While URL with long string of gibberish is a reliable sign for tracking it's not a reliable sign for spam. A lot of legitimate mailing lists and newsletters and such have similar URLs. The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? You could set up a local authoritative DNS zone for a DNSBL, put the IP ranges into it, and add a URIDNSBL check rule pointing at your DNS server as the DNSBL host, but I don't think there's a way to do it by putting a netblock explicitly into a rule. That seems to me like a plausible extension of the URIDNSBL plugin, but it would be a pain to maintain the rules. Setting up a local DNSBL would be better in the long run, I think. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The more you believe you can create heaven on earth the more likely you are to set up guillotines in the public square to hasten the process. -- James Lileks --- Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
On Fri, 2014-06-06 at 23:50 +0200, Axb wrote: [...] Anyone have some working rules they could share? Pls note than any rule shared via lists usually looses its teeth within a few hours .-) Sorry, that's incorrect. The SA commits mailing list is not code only, but includes rules/ and sandbox/ commits. Moreover, even by a very long stretch of few hours, no regex or general pattern based rule older than a year could possibly match today's spam. That species exists, though. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg Here’s a prototype: http://ur1.ca/hgxkx
Re: Can't keep up with spam from SolarVPS sites
On Fri, 2014-06-06 at 18:36 -0600, Philip Prindeville wrote: On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg Here’s a prototype: http://ur1.ca/hgxkx That Return-Path really sticks out. It's basically the From: address with embedded To: address. Spaces added for convenience. CamelCasedPayload - user=recipient.net @ example.com Depending on the number of individual recipient addresses, there are multiple approaches for rules possible. Matching a specific target address, including the whole domain, or even seriously complex rules also taking the From: header into account. In either case, be careful to NOT simply match your address embedded like that, because that's close to how mailing-lists do it. Compare this message's Return-Path. The following rule (beware, entirely untested) would match that pattern. A camel-cased string, hyphen, email address with equal sign substituted for @, followed by @ (and an arbitrary domain). header CAMEL_CASE Return-Path:addr =~ /^(?:[A-Z][a-z]+){3,}-user=recipient\.net@/ You will of course have to substitute your address. If there are multiple valid user names, you could use something like /[a-z]+/ instead of an actual user name. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
On Sat, 7 Jun 2014, Karsten Bräckelmann wrote: On Fri, 2014-06-06 at 18:36 -0600, Philip Prindeville wrote: On Jun 6, 2014, at 3:50 PM, Axb axb.li...@gmail.com wrote: If you have to post a spam sample, pls use pastebin and post the full msg Here’s a prototype: http://ur1.ca/hgxkx That Return-Path really sticks out. It's basically the From: address with embedded To: address. The following rule (beware, entirely untested) would match that pattern. A camel-cased string, hyphen, email address with equal sign substituted for @, followed by @ (and an arbitrary domain). header CAMEL_CASE Return-Path:addr =~ /^(?:[A-Z][a-z]+){3,}-user=recipient\.net@/ You will of course have to substitute your address. If there are multiple valid user names, you could use something like /[a-z]+/ instead of an actual user name. It would be possible to do a multiple-header rule with captures and backreferences to capture the camel-case, destination email and source domain parts and verify that the Return-Path+From+To header triplet matches this pattern. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say I don't want the government to do X, do not automatically assume that means I don't want X to happen. --- Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
On Fri, 2014-06-06 at 19:02 -0700, John Hardin wrote: On Sat, 7 Jun 2014, Karsten Bräckelmann wrote: That Return-Path really sticks out. It's basically the From: address with embedded To: address. It would be possible to do a multiple-header rule with captures and backreferences to capture the camel-case, destination email and source domain parts and verify that the Return-Path+From+To header triplet matches this pattern. I bet you by 2 minutes! ;) -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
On Sat, 7 Jun 2014, Karsten Bräckelmann wrote: On Fri, 2014-06-06 at 19:02 -0700, John Hardin wrote: On Sat, 7 Jun 2014, Karsten Bräckelmann wrote: That Return-Path really sticks out. It's basically the From: address with embedded To: address. It would be possible to do a multiple-header rule with captures and backreferences to capture the camel-case, destination email and source domain parts and verify that the Return-Path+From+To header triplet matches this pattern. I bet you by 2 minutes! ;) :-P -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We have to realize that people who run the government can and do change. Our society and laws must assume that bad people - criminals even - will run the government, at least part of the time. -- John Gilmore --- Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
I'm having the exact opposite problem. I've created several new addresses that i'm hoping to get clogged up with spam so that I can have a fluid target to write rules against, but so far... nothing. craig@dioxidized, where i posted a bunch of ads on craigslist with the address exposed has not gotten anyhting in 48 hours. red@dioxidized, where teh same thing was done on reddit, nothing. posted a few addresses in pastebin in hopes that bots might find them So, does anyone have any idea how to get a freshly made email address to get clogged with spam in the shortest amount of time? Many thanks! Oh, and just joining the list, glad to see that there's a community here! Lucas On 06/06/2014 05:32 PM, Philip Prindeville wrote: We’re getting a lot of spam that contains URL’s which look like (remove the ): http://mabsut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ihnyc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://ieato.com/whos/be2aaf2163fd72c9975ec76b00288831 http://cp.mk-kbcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f http://ifspc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol http://niggu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share? The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18. Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet? Thanks, -Philip
Re: Can't keep up with spam from SolarVPS sites
On Fri, 2014-06-06 at 22:34 -0400, lucas k wrote: I'm having the exact opposite problem. I've created several new addresses that i'm hoping to get clogged up with spam so that I can have a fluid target to write rules against, but so far... nothing. craig@dioxidized, where i posted a bunch of ads on craigslist with the address exposed has not gotten anyhting in 48 hours. 48 hours. No, I wouldn't expect spam in that short a time frame. Spam (bot) networks need to pick up fresh addresses, distribute them, then eventually use them. I am still getting spam with addresses out-of-business for years. Most spammers (especially botnet based) don't care for SMTP reject. Invalid addressed rarely phase out. Adding new addresses might take time, too. First, they need to be discovered. (Who told you spammers are specifically harvesting craigslist?) Then, the new addresses need to be distributed for bots to actually use them. I am *still* getting Mydoom virus infected messages. What does that tell you about blackhats and being up-to-date? So, does anyone have any idea how to get a freshly made email address to get clogged with spam in the shortest amount of time? If the domain is not fresh and there are users getting spam, a catch-all address could help. You will even see spam to thisisjusttest@. However, legitimate senders will NOT be informed, in case they mis-typed the recipient address. Even worse, that mail would end up in your catch-all bin. Use with care. Many thanks! Oh, and just joining the list, glad to see that there's a community here! There is indeed. I recommend active lurking, lots of good advice, hints and education, even if not (yet) perceived as a personal issue. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}