subject:"Lots of Polish spam"


On 02/24/2015 09:28 PM, Yves Goergen wrote:

Am 24.02.2015 um 19:56 schrieb Axb:

- Please post missed spam samples in pastebin.com - do not post samples
to mailing lists


It's too many to process them individually in pastebin. Here's an
archive with ~60 messages in files:

https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view

ZIP password: spam
(Google thinks there's a virus in it so I needed to encrypt it.)


didn't need a password to extract but... whatever format those .eml are 
in, none of text editors was able to handle them so that  didn't help.



- What plugins are you using?
(pls specify: Razor, Pyzor, DCC, etc)


neither of thsoe are installed by default so you ma want to look into them.

RAZR/PYZOR DCCC will make a huge difference.


Didn't change whatever comes as a standard.


- Are you handling mail for a company, personal email, ISP, one domain,
many domains, etc?


It's the mail server for a small web hosting service with multiple
domains and users. I don't know whether any of them wishes to receive
Polish messages.



I'd definitely suggest you enable the Spamhaus  SURBL rules.
I know german/austrian/swiss mail admins seems to have a problem with 
Spamhaus and prefer to trust the manitu RBL, yet, for my traffic, would 
be riddled with FPs while Spamhaus has been superb for the last 14 years.
Potential FPs have always been fixed VERY fast and the hit rate can't be 
beat... but then whatever works...


Last but not least, get your Bayes setup running and it will give you 
the extra edge.


h2h

Axb

Re: Lots of Polish spam


On 02/24/2015 10:32 PM, Kris Deugau wrote:

Yves Goergen wrote:

Hello,

for a few months I'm getting lots of Polish spam to one of my e-mail
addresses, sometimes a dozen per day. I have no idea what it's telling
me, I don't understand a single word. I just recognise characteristic
characters to know the language. Some messages have a .pl domain as
sender address, others not. The sending hosts have all kinds of TLDs.
Most messages have only a very short or empty body (a few words at
maximum). Almost all messages contain a .zip attachment, often named
like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught
by clamav, but I haven't looked into any of these archives yet.


These are almost certainly viruses.  Upload one or two of the .zip files
to virustotal.com to check against a long list of AV scanners.

Any Windows executable that I find in a .zip file attached to a random
message I automatically consider very suspect at best.  I don't waste
time trying to find out what the executable actually does, I just add a
basic hash signature to ClamAV and move on.  I've nearly given up on
reporting these upstream to the ClamAV maintainers as well;  I've got
samples closing on two years old that still aren't flagged by stock
signatures.  :/



ClamAV has become a framework... and atm, you can open a a bottle of 
bubbly if the official sigs actually detect anything.


Take a look at the Sanesecurity's FoxHole sigs

http://sanesecurity.com/foxhole-databases/

foxhole_generic.cdb
foxhole_filename.cdb

have been very reliable, in all ways.

Axb

Re: Lots of Polish spam

2015-02-24 Thread Kris Deugau

Yves Goergen wrote:
 Hello,
 
 for a few months I'm getting lots of Polish spam to one of my e-mail
 addresses, sometimes a dozen per day. I have no idea what it's telling
 me, I don't understand a single word. I just recognise characteristic
 characters to know the language. Some messages have a .pl domain as
 sender address, others not. The sending hosts have all kinds of TLDs.
 Most messages have only a very short or empty body (a few words at
 maximum). Almost all messages contain a .zip attachment, often named
 like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught
 by clamav, but I haven't looked into any of these archives yet.

These are almost certainly viruses.  Upload one or two of the .zip files
to virustotal.com to check against a long list of AV scanners.

Any Windows executable that I find in a .zip file attached to a random
message I automatically consider very suspect at best.  I don't waste
time trying to find out what the executable actually does, I just add a
basic hash signature to ClamAV and move on.  I've nearly given up on
reporting these upstream to the ClamAV maintainers as well;  I've got
samples closing on two years old that still aren't flagged by stock
signatures.  :/

-kgd

Re: Lots of Polish spam


Am 24.02.2015 um 19:56 schrieb Axb:

- Please post missed spam samples in pastebin.com - do not post samples
to mailing lists


It's too many to process them individually in pastebin. Here's an 
archive with ~60 messages in files:


https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view

ZIP password: spam
(Google thinks there's a virus in it so I needed to encrypt it.)


- What SA version are you using? and on what operating system?


3.4.0 on Ubuntu 14.04


- How are you using SA?
(pls specify: amavis, MIMEDefang, a milter, Mailscanner, procmail,
Fuglu, etc, etc)


Configured as scanner from Exim 4.82


- Are you using SA in a PC/notebook? or on a server?


On a public web/mail server


- What plugins are you using?
(pls specify: Razor, Pyzor, DCC, etc)


Didn't change whatever comes as a standard.


- Are you handling mail for a company, personal email, ISP, one domain,
many domains, etc?


It's the mail server for a small web hosting service with multiple 
domains and users. I don't know whether any of them wishes to receive 
Polish messages.


--
Yves Goergen
http://unclassified.software

Re: Lots of Polish spam

2015-02-24 Thread Alex Regan


Hi,


for a few months I'm getting lots of Polish spam to one of my e-mail
addresses, sometimes a dozen per day. I have no idea what it's telling
me, I don't understand a single word. I just recognise characteristic
characters to know the language. Some messages have a .pl domain as
sender address, others not. The sending hosts have all kinds of TLDs.
Most messages have only a very short or empty body (a few words at
maximum). Almost all messages contain a .zip attachment, often named
like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught
by clamav, but I haven't looked into any of these archives yet.


I have a number of mime_header_checks rules that reject unwanted file 
types. This can also be done with amavisd.


Does anyone know/think it would be a good idea to add .pdf.zip to the 
mime types reject list? Has anyone seen a real example that wasn't a virus?



SpamAssassin doesn't seem to be too successful in filtering them out. I
set up that mailbox to reject anything beyond 10 points. Almost all
messages stay under that limit. Only occasionally, a few messages are
rejected with scores up to around 15. (Other regular spam can easily
reach scores in the 50s.)


What about ok_locales or ok_languages ? Is that reliable?

Thanks,
Alex

Re: Lots of Polish spam

2015-02-24 Thread John Hardin


On Tue, 24 Feb 2015, Yves Goergen wrote:

for a few months I'm getting lots of Polish spam to one of my e-mail 
addresses, sometimes a dozen per day. I have no idea what it's telling me, I 
don't understand a single word.


SpamAssassin doesn't seem to be too successful in filtering them out.

Does anybody have an idea how to stop that? Are there special rule sets for 
that?


If you don't have any users who speak Polish, then Bayes would do a good 
job catching them.


I get a lot of spam in Chinese, Portuguese and Spanish and it all scores 
BAYES_999.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 An operating system design that requires a system reboot in order to
 install a document viewing utility does not earn my respect.
---
 10 days until Dawn reaches Ceres

Re: Lots of Polish spam

On 02/24/2015 06:35 PM, Yves Goergen wrote:

Hello,

for a few months I'm getting lots of Polish spam to one of my e-mail
addresses, sometimes a dozen per day. I have no idea what it's telling
me, I don't understand a single word. I just recognise characteristic
characters to know the language. Some messages have a .pl domain as
sender address, others not. The sending hosts have all kinds of TLDs.
Most messages have only a very short or empty body (a few words at
maximum). Almost all messages contain a .zip attachment, often named
like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught
by clamav, but I haven't looked into any of these archives yet.

SpamAssassin doesn't seem to be too successful in filtering them out. I
set up that mailbox to reject anything beyond 10 points. Almost all
messages stay under that limit. Only occasionally, a few messages are
rejected with scores up to around 15. (Other regular spam can easily
reach scores in the 50s.)

Does anybody have an idea how to stop that? Are there special rule sets
for that?

I could provide samples of those messages if somebody is interested in
it. These messages include my SpamAssassin headers so the matching rules
can be seen. Unfortunately I'm not an SA wizard so I can't make new
rules for such things.

Could you please tell us more about your setup so we get a better picture...

- Please post missed spam samples in pastebin.com - do not post samples
to mailing lists

- What SA version are you using? and on what operating system?

- How are you using SA?
(pls specify: amavis, MIMEDefang, a milter, Mailscanner, procmail,
Fuglu, etc, etc)

- Are you using SA in a PC/notebook? or on a server?
- What plugins are you using?
(pls specify: Razor, Pyzor, DCC, etc)

- Are you handling mail for a company, personal email, ISP, one domain,
many domains, etc?

thx

PS: Template extracted from:
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/emailed/sa-list-template.txt?view=co

Lots of Polish spam


Hello,

for a few months I'm getting lots of Polish spam to one of my e-mail 
addresses, sometimes a dozen per day. I have no idea what it's telling 
me, I don't understand a single word. I just recognise characteristic 
characters to know the language. Some messages have a .pl domain as 
sender address, others not. The sending hosts have all kinds of TLDs. 
Most messages have only a very short or empty body (a few words at 
maximum). Almost all messages contain a .zip attachment, often named 
like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught 
by clamav, but I haven't looked into any of these archives yet.


SpamAssassin doesn't seem to be too successful in filtering them out. I 
set up that mailbox to reject anything beyond 10 points. Almost all 
messages stay under that limit. Only occasionally, a few messages are 
rejected with scores up to around 15. (Other regular spam can easily 
reach scores in the 50s.)


Does anybody have an idea how to stop that? Are there special rule sets 
for that?


I could provide samples of those messages if somebody is interested in 
it. These messages include my SpamAssassin headers so the matching rules 
can be seen. Unfortunately I'm not an SA wizard so I can't make new 
rules for such things.


--
Yves Goergen
http://unclassified.software

Re: Lots of Polish spam

2015-02-24 Thread Jeremy McSpadden

Usually scores are 6 low 10 high. Are you running any RBLs ?

--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.nethttp://www.fluxlabs.net/ | Endless 
Solutions
Office : 850-250-5590x501tel:850-250-5590;501 | Cell : 
850-890-2543tel:850-890-2543 | Fax : 850-254-2955tel:850-254-2955

On Feb 24, 2015, at 11:35 AM, Yves Goergen 
nospam.l...@unclassified.demailto:nospam.l...@unclassified.de wrote:

Hello,

for a few months I'm getting lots of Polish spam to one of my e-mail addresses, 
sometimes a dozen per day. I have no idea what it's telling me, I don't 
understand a single word. I just recognise characteristic characters to know 
the language. Some messages have a .pl domain as sender address, others not. 
The sending hosts have all kinds of TLDs. Most messages have only a very short 
or empty body (a few words at maximum). Almost all messages contain a .zip 
attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain 
malware caught by clamav, but I haven't looked into any of these archives yet.

SpamAssassin doesn't seem to be too successful in filtering them out. I set up 
that mailbox to reject anything beyond 10 points. Almost all messages stay 
under that limit. Only occasionally, a few messages are rejected with scores up 
to around 15. (Other regular spam can easily reach scores in the 50s.)

Does anybody have an idea how to stop that? Are there special rule sets for 
that?

I could provide samples of those messages if somebody is interested in it. 
These messages include my SpamAssassin headers so the matching rules can be 
seen. Unfortunately I'm not an SA wizard so I can't make new rules for such 
things.

--
Yves Goergen
http://unclassified.software

Re: Lots of Polish spam


Am 24.02.2015 um 18:39 schrieb Jeremy McSpadden:

Usually scores are 6 low 10 high. Are you running any RBLs ?


I have the default settings plus the attached custom configuration. 
There are several RBLs among them.


--
Yves Goergen
http://unclassified.software
#   BAYES  

#auto_whitelist_path /var/spool/spamd/auto-whitelist
bayes_path /var/spool/spamd/bayes
lock_method flock
# required_score 5.0
use_bayes 0
# bayes_auto_learn 1
bayes_ignore_header X-Spam-Score
bayes_ignore_header X-Spam-dotforward-Info
bayes_ignore_header X-Spam-Report

# Temporarily disabled
#bayes_auto_learn_threshold_spam 8.0   # default: 12.0

score BAYES_00 (1.5)
score BAYES_05 (0.3)
score BAYES_20 (0)
score BAYES_40 (0)
score BAYES_50 (0)
score BAYES_60 (0.2)
score BAYES_80 (0.5)
score BAYES_95 (0.8)
score BAYES_99 (1.0)

clear_report_template
report Content analysis details:
report _SUMMARY_

#   WHITELIST / BLACKLIST  

blacklist_from i...@info.globc-data.info
blacklist_from i...@de.globc-data.info
blacklist_from i...@i.glbdata.info
blacklist_from i...@de.glbdata.info
blacklist_from i...@i.dbc-data.info
blacklist_from i...@i.gc-dbadressen.info
blacklist_from tlakulamessa...@mail2southafrica.com

blacklist_from john@*initrust*

blacklist_from richard*@sehrwichtig.com

# Emirates hält sich nicht an die Abmeldung von Werbung und wird deshalb
# komplett blockiert. 2010-04-15 YG
blacklist_from emirateshighstreet@e.emirates.travel

# Immobilienwerbung, 2011-06-16 YG
blacklist_from i...@timepost02b.com

# eBay Fälschung, 2011-06-22 YG
blacklist_from mem...@ehay.com

# PayPal-Fälschung, 2011-07-02 YG
blacklist_from info...@paiypal.com

# Newsletter-Abmeldung funktioniert nicht, es kommt nur mehr Spam, 2013-04-22 YG
blacklist_from *@lists.techtarget.com

#   DNS-BLACKLISTS  

# rfc-ignorant is useless for the real world, it doesn't catch spam but 
everything else!
score DNS_FROM_RFC_ABUSE 0
score DNS_FROM_RFC_POST 0
score DNS_FROM_RFC_WHOIS 0

# Increase score for DNS list rules
score URIBL_BLACK (4)
score RCVD_IN_BL_SPAMCOP_NET (2.5)
#score RCVD_IN_SORBS_WEB (2)
#score RCVD_IN_WHOIS_BOGONS (1)
#score RCVD_IN_SORBS_DUL (2)
score DNS_FROM_RFC_ABUSE (1)

# Temporary trouble with false positives from those rules:
#score URIBL_RED 0
#score URIBL_GREY 0
#score URIBL_BLACK 0

# SURBL policy change as of 2008-11-10
score URIBL_AB_SURBL 0
score URIBL_JP_SURBL 0
score URIBL_OB_SURBL 0
score URIBL_PH_SURBL 0
score URIBL_SC_SURBL 0
score URIBL_WS_SURBL 0

# YG 2014-12-26 Spamhaus deaktiviert
score RCVD_IN_ZEN 0
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0

# 2015-01-12 NiX-Spam-DNSBL ix.dnsbl.manitu.net hinzugefügt
# Anleitung: 
http://www.heise.de/ix/foren/S-nixspam-dnsbl-in-spamassassin/forum-48292/msg-6404906/read/
header NIX_SPAM eval:check_rbl('nix-spam','ix.dnsbl.manitu.net')
describe NIX_SPAM Listed in NIX_SPAM DNSBL (thanks to heise.de)
tflags NIX_SPAM net
score NIX_SPAM 3.0

#   SCORE ADJUSTMENTS  

score FORGED_HOTMAIL_RCVD 0.0

score DEAR_FRIEND (2)

score DRUGS_ERECTILE (2)

# Looks like spam
score RCVD_IN_DNSWL_LOW 0

# Enable bounce checks by adding this line:
whitelist_bounce_relays dotforward.de
score ANY_BOUNCE_MESSAGE 7

# YG 2011-07-06 (+1), 2015-01-12 (+0.5)
score LOTS_OF_MONEY (1.5)

# YG 2014-03-09
score KHOP_BIG_TO_CC 1

#   MY PATTERNS  

# Uhren kaufen
uri YG_URI_UHREN /redir\.ec\/[a-z]+/i
score YG_URI_UHREN 5

# GlobData spam
uri YG_URI_GLOBDATA 
/www\.(gl(ob)?-?(adressen|data)|(db(firmen)?|pr-)adressen|db-?glob(al)?|(bc|pr?o?|info)-aziende)\.(com|net|info)(\/.*)?/i
score YG_URI_GLOBDATA 5

body __YG_GLOBDATA_01 /Adressen/
body __YG_GLOBDATA_02 /Adresskataloge/
body __YG_GLOBDATA_03 /Bewerbens/
body __YG_GLOBDATA_04 /Branche/
body __YG_GLOBDATA_05 /Datenbanken/
body __YG_GLOBDATA_06 /Datenbasis/
body __YG_GLOBDATA_07 /deutsche[nr]? Firmen/
body __YG_GLOBDATA_08 /Dienstleistungen/
body __YG_GLOBDATA_09 /Firma/
body __YG_GLOBDATA_10 /Firmen/
body __YG_GLOBDATA_11 /Firmenangaben/
body __YG_GLOBDATA_12 /gewinnen/
body __YG_GLOBDATA_13 /Glob[ -]*Contact/
body __YG_GLOBDATA_14 /Global[ -]*Contact/
body __YG_GLOBDATA_15 /GC[ -]*GROUP/
body __YG_GLOBDATA_16 /Kampagnen/
body __YG_GLOBDATA_17 /kostenlose/
body __YG_GLOBDATA_18 /personalisierte/
body __YG_GLOBDATA_19 /Postanschrift/
body __YG_GLOBDATA_20 /seriöses Geld/
body __YG_GLOBDATA_21 /Unternehmen/
body __YG_GLOBDATA_22 /verdienen/
body __YG_GLOBDATA_23 /Versendens/
body __YG_GLOBDATA_24 /Werbekampagnen/
body __YG_GLOBDATA_25 /Werbung/
body __YG_GLOBDATA_26 /Zielgruppen/

meta YG_GLOBDATA_5 (__YG_GLOBDATA_01 + __YG_GLOBDATA_02 + __YG_GLOBDATA_03 + 
__YG_GLOBDATA_04 + __YG_GLOBDATA_05 + __YG_GLOBDATA_06 + __YG_GLOBDATA_07 + 
__YG_GLOBDATA_08 + __YG_GLOBDATA_09 + __YG_GLOBDATA_10 + __YG_GLOBDATA_11 + 
__YG_GLOBDATA_12 + __YG_GLOBDATA_13 + __YG_GLOBDATA_14 +

Re: Lots of Polish spam



Am 24.02.2015 um 18:58 schrieb Yves Goergen:

Am 24.02.2015 um 18:39 schrieb Jeremy McSpadden:

Usually scores are 6 low 10 high. Are you running any RBLs ?


I have the default settings plus the attached custom configuration.
There are several RBLs among them


RBL's long before the contentfilter! doing that properly and lot's of 
spam won't happen independent of the content and language


postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.4*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  list.dnswl.org=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].1*-3
  list.dnswl.org=127.0.[0..255].2*-4
  list.dnswl.org=127.0.[0..255].3*-5
  hostkarma.junkemailfilter.com=127.0.0.1*-2



signature.asc
Description: OpenPGP digital signature

Re: Lots of Polish spam


Am 24.02.2015 um 19:00 schrieb Jeremy McSpadden:

Your better off to implement RBL at SMTP time, not SA. IMO
Which MTA are you using ?


Exim. But why should I do that? See my other message in this thread. 
RBLs make mistakes. But then, only one of them makes the mistake, not all.


Are RBLs the only measure to fight spam today? How do these lists learn 
spam quickly if there is no other way to detect it?


I'm not sure whether RBLs help here. These are some of the reports of 
recent messages:



  0.0 FSL_HELO_NON_FQDN_1No description available.
  0.0 FREEMAIL_FROM  Sender email is commonly abused enduser mail 
provider
 (disportsk33[at]gmx.pl)
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
 digit (disportsk33[at]gmx.pl)
  0.9 SPF_FAIL   SPF: Senderechner entspricht nicht SPF-Datensatz 
(fail)
 [SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=disportsk33%40gmx.pl;ip=188.10.118.145;r=mond2]
  0.0 HTML_MESSAGE   BODY: Nachricht enthält HTML
  0.0 TVD_SPACE_RATIONo description available.
  1.0 XPRIO  Has X-Priority header
  2.8 TVD_SPACE_RATIO_MINFP  No description available.


-


  0.5 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
  0.0 FREEMAIL_FROM  Sender email is commonly abused enduser mail 
provider
 (ravennvgszluotpaa[at]wp.pl)
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
 digit (teaspoonsfulut2[at]wp.pl)
  0.9 SPF_FAIL   SPF: Senderechner entspricht nicht SPF-Datensatz 
(fail)
 [SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=teaspoonsfulut2%40wp.pl;ip=115.246.74.136;r=mond2]
  0.0 HTML_MESSAGE   BODY: Nachricht enthält HTML
  1.0 XPRIO  Has X-Priority header


-


  0.2 CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or
 Generic rPTR
  0.9 SPF_FAIL   SPF: Senderechner entspricht nicht SPF-Datensatz 
(fail)
 [SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=operan37%40wp.pl;ip=95.233.166.252;r=mond2]
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
 digit (operan37[at]wp.pl)
  2.7 RCVD_IN_PSBL   RBL: Received via a relay in PSBL
 [95.233.166.252 listed in psbl.surriel.com]
  0.0 FREEMAIL_FROM  Sender email is commonly abused enduser mail 
provider
 (bartekmamut[at]wp.pl)
  0.0 HTML_MESSAGE   BODY: Nachricht enthält HTML
  1.3 RCVD_IN_RP_RNBLRBL: Relay in RNBL,
 https://senderscore.org/blacklistlookup/
[95.233.166.252 listed in bl.score.senderscore.com]
  0.0 TVD_SPACE_RATIONo description available.
  1.0 XPRIO  Has X-Priority header
  2.7 TVD_SPACE_RATIO_MINFP  No description available.


-


  0.2 CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or
 Generic rPTR
  2.7 RCVD_IN_PSBL   RBL: Received via a relay in PSBL
 [195.223.116.82 listed in psbl.surriel.com]
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
 digit (panellingset52[at]gmail.com)
  1.6 RCVD_IN_BRBL_LASTEXT   RBL: No description available.
 [195.223.116.82 listed in bb.barracudacentral.org]
  1.0 SPF_SOFTFAIL   Senderechner entspricht nicht SPF-Datensatz 
(softfail)
  0.0 FREEMAIL_FROM  Sender email is commonly abused enduser mail 
provider
 (panellingset52[at]gmail.com)
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 domains are different
  0.7 MPART_ALT_DIFF BODY: Nachrichtentext im Text- und HTML-Format
 unterscheiden sich
  0.0 HTML_MESSAGE   BODY: Nachricht enthält HTML
  0.6 RCVD_IN_SORBS_WEB  RBL: SORBS: Senderechner ist ein ungesicherter
 WWW-Server
 [195.223.116.82 listed in dnsbl.sorbs.net]
  0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom
  freemail headers are different
  1.0 XPRIO  Has X-Priority header


-


  0.0 FREEMAIL_FROM  Sender email is commonly abused enduser mail 
provider
 (beelines89[at]wp.pl)
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
 digit (beelines89[at]wp.pl)
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 domains are different
  0.9 SPF_FAIL   SPF: Senderechner entspricht nicht SPF-Datensatz 
(fail)

Re: Lots of Polish spam




Am 24.02.2015 um 19:15 schrieb Yves Goergen:

Am 24.02.2015 um 19:02 schrieb Reindl Harald:

RBL's long before the contentfilter!


Do you mean to reject messages as soon as a single RBL triggers it?
That's definitely not what I want to do! I've had way too much trouble
with others doing that. RBLs get points and the score decides. Never let
any single check decide alone.


re-read my message again and try to understand it

this is *not* a single check
this is *scoring*


postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
(...)


What is that?


Google would have leaded to
http://www.postfix.org/POSTSCREEN_README.html


b.barracudacentral.org=127.0.0.2*7
zen.spamhaus.org=127.0.0.[10;11]*8
zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3


These are evil...


really?
maybe you should qualify tips *after* you understood What is that?

* the reject score is 8
* b.barracudacentral.org=127.0.0.2*7 has 7 points
* zen.spamhaus.org with response 127.0.0.10 or 127.0.0.11 is PBL
* zen.spamhaus.org with repsonse 127.0.0.4-127.0.0.7 is XBL
* zen.spamhaus.org with response 127.0.0.3 is CSS and only 4 points
* zen.spamhaus.org with repsonse 127.0.0.2 is SBL and only 3 points
* you missed the DNSWL's with negative scores completly
___

AGAIN: that is a score-based reject including a ton of whitelists

postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.4*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  list.dnswl.org=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].1*-3
  list.dnswl.org=127.0.[0..255].2*-4
  list.dnswl.org=127.0.[0..255].3*-5
  hostkarma.junkemailfilter.com=127.0.0.1*-2



signature.asc
Description: OpenPGP digital signature

Re: Lots of Polish spam


Am 24.02.2015 um 19:02 schrieb Reindl Harald:

RBL's long before the contentfilter!


Do you mean to reject messages as soon as a single RBL triggers it? 
That's definitely not what I want to do! I've had way too much trouble 
with others doing that. RBLs get points and the score decides. Never let 
any single check decide alone.



postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
(...)


What is that?


b.barracudacentral.org=127.0.0.2*7
zen.spamhaus.org=127.0.0.[10;11]*8
zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3


These are evil...

--
Yves Goergen
http://unclassified.software

Re: Lots of Polish spam

2015-02-24 Thread Marcin Mirosław

W dniu 2015-02-24 o 19:56, Axb pisze:
[...]
 - Please post missed spam samples in pastebin.com - do not post samples
 to mailing lists

Yes, please share it, I'll take a look what kind of spamt it is.

Re: Lots of Polish spam


Am 24.02.2015 um 22:00 schrieb Axb:

On 02/24/2015 09:28 PM, Yves Goergen wrote:

https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view

ZIP password: spam
(Google thinks there's a virus in it so I needed to encrypt it.)


didn't need a password to extract but... whatever format those .eml are
in, none of text editors was able to handle them so that  didn't help.


If you weren't asked for a password, then the files were not decrypted. 
If you can decrypt them (I used 7-Zip to create the archive, but ZIP 
encryption seems incompatible between programs, could create a .7z 
archive as well, but these seem to be unsupported and unwanted by most, 
despite their highly superiour performance), then you'll have plain text 
files as Thunderbird received and exported them. Nothing unusual.



- What plugins are you using?
(pls specify: Razor, Pyzor, DCC, etc)


neither of thsoe are installed by default so you ma want to look into them.

RAZR/PYZOR DCCC will make a huge difference.


Okay, so I'll take a look into what they are and how to install and 
configure them.



I'd definitely suggest you enable the Spamhaus  SURBL rules.


They have strange TOS that actually forbid using them for more than a 
single mailbox. Otherwise you need to pay for it. My data centre 
provider wrote an interesting posting about the current situation in 
their closed customer forums. They're in a bad position as long as 
customers still access Spamhaus services from their network. Nobody 
should support them anymore, really. They're evil.



Last but not least, get your Bayes setup running and it will give you
the extra edge.


I once had Bayes enabled, but since it's an unattended server system, it 
can only learn from itself. And that had worked really bad in the past. 
So I disabled it completely last time I set it up. How should Bayes work 
if nobody gives feedback about the messages from their Thunderbird 
clients? And I've tried creating rules for those Polish words, but it's 
different words all the time. I wonder whether they actually mean 
something. And it's only very few words per messages, many even with 
corrupt encoding including HTML entities. Again, how could Bayes help here?


--
Yves Goergen
http://unclassified.software

Re: Lots of Polish spam



Am 24.02.2015 um 22:49 schrieb Alex Regan:

for a few months I'm getting lots of Polish spam to one of my e-mail
addresses, sometimes a dozen per day. I have no idea what it's telling
me, I don't understand a single word. I just recognise characteristic
characters to know the language. Some messages have a .pl domain as
sender address, others not. The sending hosts have all kinds of TLDs.
Most messages have only a very short or empty body (a few words at
maximum). Almost all messages contain a .zip attachment, often named
like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught
by clamav, but I haven't looked into any of these archives yet.


I have a number of mime_header_checks rules that reject unwanted file
types. This can also be done with amavisd.

Does anyone know/think it would be a good idea to add .pdf.zip to the
mime types reject list? Has anyone seen a real example that wasn't a virus?


well, if i right click ona PDF file at my KDE desktop the context menu 
offers a simple option to compress it as zip archive resulting in 
origin-name.pdf.zip


here you go: http://sanesecurity.com/usage/signatures/
the zip is not the problem, the content is interesting

as already mentioned: http://sanesecurity.com/foxhole-databases/





signature.asc
Description: OpenPGP digital signature

Re: Lots of Polish spam

2015-02-24 Thread Tom Hendrikx

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 24-02-15 22:56, Yves Goergen wrote:
 Am 24.02.2015 um 22:00 schrieb Axb:
 On 02/24/2015 09:28 PM, Yves Goergen wrote:
 https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view


 
ZIP password: spam
 (Google thinks there's a virus in it so I needed to encrypt
 it.)
 
 didn't need a password to extract but... whatever format those
 .eml are in, none of text editors was able to handle them so that
 didn't help.
 
 If you weren't asked for a password, then the files were not
 decrypted. If you can decrypt them (I used 7-Zip to create the
 archive, but ZIP encryption seems incompatible between programs,
 could create a .7z archive as well, but these seem to be
 unsupported and unwanted by most, despite their highly superiour
 performance), then you'll have plain text files as Thunderbird
 received and exported them. Nothing unusual.
 
 - What plugins are you using? (pls specify: Razor, Pyzor,
 DCC, etc)
 
 neither of thsoe are installed by default so you ma want to look
 into them.
 
 RAZR/PYZOR DCCC will make a huge difference.
 
 Okay, so I'll take a look into what they are and how to install
 and configure them.
 
 I'd definitely suggest you enable the Spamhaus  SURBL rules.
 
 They have strange TOS that actually forbid using them for more than
 a single mailbox. Otherwise you need to pay for it. My data centre 
 provider wrote an interesting posting about the current situation
 in their closed customer forums. They're in a bad position as long
 as customers still access Spamhaus services from their network.
 Nobody should support them anymore, really. They're evil.
 
 Last but not least, get your Bayes setup running and it will give
 you the extra edge.
 
 I once had Bayes enabled, but since it's an unattended server
 system, it can only learn from itself. And that had worked really
 bad in the past. So I disabled it completely last time I set it up.
 How should Bayes work if nobody gives feedback about the messages
 from their Thunderbird clients? And I've tried creating rules for
 those Polish words, but it's different words all the time. I wonder
 whether they actually mean something. And it's only very few words
 per messages, many even with corrupt encoding including HTML
 entities. Again, how could Bayes help here?
 

The problem here that you're stating it's an unattended server
system. E-mail and spam change all the time, you cannot have great
filtering without adjusting to new trends and threats. Using bayesian
filtering is an easy way to improve detection, because you only need
to decide whether mail is ham or spam, and the bayes engine does most
of the other hard work for you.

If you're not going to put in some effort to either train a bayesian
filter for your users, of enable them to train it themselves (this has
some risks you should be aware of), your filtering won't improve. But
on the other hand: trying to write your own SA rules in order to block
mails in a language you don't even understand is a lot harder.

Tom

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJU7PebAAoJEJPfMZ19VO/14HAP/A57vNLDgHjmt0JvBi98RAnY
Jez138atfRynhLIFxy2w8MDwWy2HWSi6v/NpnXMVjZ2DYmyMBrJNC1Tn2aYrM3Mu
uxPxfOTVNlyG2FjY3iw8XwvlSJ28shcuU8WrbTrvvD81Mv2UyBVhsaNcFNNss5Gg
PATgOtU8IIn/sqb85uLu0DkyWR7LbM3SMfmNLQ1O5uRV+9212vFfHSS6Bi8/XdJ0
KCwxBlQrI8wb1hMPzPUGFa39ke307V6HugOZtSX/JkM4Ub8vSpscvvi14Up3Cde3
WlCod8SPf7cox1jwt5aahLNhESFp9fAeXHA+QCpfBAq2wiGTVFnOhm3EqE93JMw8
Btt51cTzeaIW58ho6mTAU56IBEb6phPI7mCXtcIDbtJ6WtHNWv9ozYdyp/3aQB6Z
gfe2DxzuF9Nx9g3jimyCHSeh7/ZOHw5i3U5sp77lvQ1a+B0UEf5cW6DkG/flXnRg
o6j2yWfId0elYU+h5K8EMeWzOCK8fv02W5PIsBzVRMv9VR15/22IdOdger1gAYWZ
uyttaqOVJkN8FREO4jo1JO4Si6BJFTu3c4bWLeFbYcx2s/7RY0jQeE59B8RWBa+l
CHYLOU8IhXSBKlMyvn2A6cnDPr/lyk1aeZzL0eSVGHXXyU7b0VdEYAH7K9LzEpXK
EHRkis0DOJAomQrjNuvj
=TuOX
-END PGP SIGNATURE-

Re: Lots of Polish spam

2015-02-24 Thread John Hardin


On Tue, 24 Feb 2015, Alex Regan wrote:

Does anyone know/think it would be a good idea to add .pdf.zip to the mime 
types reject list? Has anyone seen a real example that wasn't a virus?


Pretty much *any* double-extension filename is suspect.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Markley's Law (variant of Godwin's Law): As an online discussion
  of gun owners' rights grows longer, the probability of an ad hominem
  attack involving penis size approaches 1.
---
 10 days until Dawn reaches Ceres

Re: Lots of Polish spam

2015-02-24 Thread RW

On Tue, 24 Feb 2015 22:56:08 +0100
Yves Goergen wrote:

 Am 24.02.2015 um 22:00 schrieb Axb:

  I'd definitely suggest you enable the Spamhaus  SURBL rules.
 
 They have strange TOS that actually forbid using them for more than a 
 single mailbox. Otherwise you need to pay for it. 

That's not what it says on their websites, SURBL has a 1000 user limit,
and spamhaus has limits on lookups.


 My data centre 
 provider wrote an interesting posting about the current situation in 
 their closed customer forums. They're in a bad position as long as 
 customers still access Spamhaus services from their network.

They have to pay because they're a business that sells email. 

If you have your own mail server with a dedicated IP address, and do
your own DNS lookups, I don't you'd  have to pay unless you're selling a
commercial email service. The problem some people run into is sending
their dns queries through a shared dns cache which aggregates look-ups
on a single IP address.

Re: Lots of Polish spam

2015-02-24 Thread Alex Regan


Hi,


On 02/24/2015 07:06 PM, Reindl Harald wrote:


Am 25.02.2015 um 00:56 schrieb Alex Regan:

Sophos reports it as Troj/Tinba-O, like most others on virustotal.com
ClamAV does not detect anything suspicious.


I really thought clamav was much better. Can you recommend a antivirus
other than Sophos that works well with Linux/Fedora?

Sophos is a no-go with Fedora, apparently


as explained repeatly in this thread: ClamAV is a *fraemwork* and works
well if you load the right signatures

even SpamAssassin *is just a framework* without Bayes, URIBL, DNSBL and
shared hash deployments far away from useable as a ready solution

if you build up a spamfilter you can't just use anything out of the box
and think you are done without invest in configuration and additional
signatures as well as *learining* from real mail flow


Yes, I *am* already using the additional signatures from sanesecurity 
and others. I've started to notice the efficacy suffering over the past 
months as users have been complaining and comments on this list (I 
assumed those that were commenting were also using the third-party 
signatures).


I'm also just looking for a secondary scanner in addition to clamav to 
run in parallel to see how it compares...


Thanks,
Alex

Re: Lots of Polish spam



Am 24.02.2015 um 22:56 schrieb Yves Goergen:

Last but not least, get your Bayes setup running and it will give you
the extra edge.


I once had Bayes enabled, but since it's an unattended server system, it
can only learn from itself. And that had worked really bad in the past.
So I disabled it completely last time I set it up. How should Bayes work
if nobody gives feedback about the messages from their Thunderbird
clients? And I've tried creating rules for those Polish words, but it's
different words all the time. I wonder whether they actually mean
something. And it's only very few words per messages, many even with
corrupt encoding including HTML entities. Again, how could Bayes help here?


starting with 200 spam and 200 ham samples bayes helps *a lot* and 
running any contentfilter without bayes is pure nonsense


a spamfilter si not about that is spam because this - it#s about 
scoring and bayes is a important part of the scoring


just set it up with a central bayes-db and feed it only with the samples 
*you* got and anybody would benefit


with sensible RBL scoring, SpamAssassin including bayes and unofficial 
ClamAV signatures you block around 95% of all junk without invest any 
second of work after setup and combined with remote-hashing services 
into the score mix you get up to 98% with nearly zero false positives


what you have is a dumb contentfilter without bayes and useable clamav 
signatures with no RBL scroing before the contentfilter - that can't 
work at all




signature.asc
Description: OpenPGP digital signature

Re: Lots of Polish spam



Am 24.02.2015 um 23:18 schrieb John Hardin:

On Tue, 24 Feb 2015, Alex Regan wrote:


Does anyone know/think it would be a good idea to add .pdf.zip to
the mime types reject list? Has anyone seen a real example that wasn't
a virus?


Pretty much *any* double-extension filename is suspect


on Windows systems

.tar.gz
.tar.bz2
.tar.xz



signature.asc
Description: OpenPGP digital signature

Re: Lots of Polish spam

2015-02-24 Thread LuKreme

On Feb 24, 2015, at 15:24, Axb axb.li...@gmail.com wrote:
 *.pdf.zip is a dangerous one to block on sight - FP risk is huge

Really? I've never seen a .pdf.zip that was legitimate.

Re: Lots of Polish spam

2015-02-24 Thread Benny Pedersen

On February 24, 2015 11:06:31 PM Yves Goergen nospam.l...@unclassified.de 
wrote:



 From the description, they only block by file name pattern. I can't
block all archives with executable files in them. People need to send
those files from time to time. And they know that a plain attached .exe
won't get through filters, so they put it in a .zip archive. If the mail
server now blocks all .exe in .zip without actually scanning the
contents, they're going to complain.


pay attention to clamav max unpack 16 levels of recursive zip, that means 
if a exe file is recursive zip packed 17 times it will not be a virus ? :)


more serious, if a exe file is just attached to email and its clean, no 
blocking in clamav, does users not pay attention ?


we are ofttopic, atleast i am

Re: Lots of Polish spam

2015-02-24 Thread Mark Martinec


Axb wrote:

didn't need a password to extract but... whatever format those .eml
are in, none of text editors was able to handle them so that  didn't
help.


$ mkdir Spam; cd Spam
$ 7z e -pspam ../Spam.zip


Sophos reports it as Troj/Tinba-O, like most others on virustotal.com
ClamAV does not detect anything suspicious.

  Mark

Re: Lots of Polish spam

2015-02-24 Thread Alex Regan


Hi,


Sophos reports it as Troj/Tinba-O, like most others on virustotal.com
ClamAV does not detect anything suspicious.


I really thought clamav was much better. Can you recommend a antivirus 
other than Sophos that works well with Linux/Fedora?


Sophos is a no-go with Fedora, apparently.

Thanks,
Alex

Re: Lots of Polish spam



Am 25.02.2015 um 00:56 schrieb Alex Regan:

Sophos reports it as Troj/Tinba-O, like most others on virustotal.com
ClamAV does not detect anything suspicious.


I really thought clamav was much better. Can you recommend a antivirus
other than Sophos that works well with Linux/Fedora?

Sophos is a no-go with Fedora, apparently


as explained repeatly in this thread: ClamAV is a *fraemwork* and works 
well if you load the right signatures


even SpamAssassin *is just a framework* without Bayes, URIBL, DNSBL and 
shared hash deployments far away from useable as a ready solution


if you build up a spamfilter you can't just use anything out of the box 
and think you are done without invest in configuration and additional 
signatures as well as *learining* from real mail flow




signature.asc
Description: OpenPGP digital signature

Re: Lots of Polish spam


Am 24.02.2015 um 22:42 schrieb Axb:

On 02/24/2015 10:32 PM, Kris Deugau wrote:

These are almost certainly viruses.  Upload one or two of the .zip files
to virustotal.com to check against a long list of AV scanners.


Didn't check it. Avira AntiVir (my desktop scanner) didn't notice any of 
these files while I created the archive. When scanning the files on 
demand, the scanner ends up in a life lock, not finishing. But it has 
found at least one malware until then.



ClamAV has become a framework... and atm, you can open a a bottle of
bubbly if the official sigs actually detect anything.


Oh great. Now that I've finally set up ClamAV on the server, it's 
useless? At least it can detect the EICAR test signature, and 
occasionally I've seen it detecting other things, but I rarely get in 
touch with real malware so I didn't test that.



Take a look at the Sanesecurity's FoxHole sigs


From the description, they only block by file name pattern. I can't 
block all archives with executable files in them. People need to send 
those files from time to time. And they know that a plain attached .exe 
won't get through filters, so they put it in a .zip archive. If the mail 
server now blocks all .exe in .zip without actually scanning the 
contents, they're going to complain.


--
Yves Goergen
http://unclassified.software

Re: Lots of Polish spam



Am 24.02.2015 um 23:39 schrieb LuKreme:

On Feb 24, 2015, at 15:24, Axb axb.li...@gmail.com wrote:

*.pdf.zip is a dangerous one to block on sight - FP risk is huge


Really? I've never seen a .pdf.zip that was legitimate


and i sent hundrets which where by just right click on the pdf and chose 
add to zip archive origin.pdf.zip - and now?




signature.asc
Description: OpenPGP digital signature

Re: Lots of Polish spam


On 02/24/2015 11:39 PM, LuKreme wrote:

On Feb 24, 2015, at 15:24, Axb axb.li...@gmail.com wrote:

*.pdf.zip is a dangerous one to block on sight - FP risk is huge


Really? I've never seen a .pdf.zip that was legitimate.



KDE: right click on a blah.pdf compress as Zip Archive and bang: 
blah.pdf.zip


I can imagine other Linux Desktops doing the same. Dunno about Windows 
or Apple

Re: Lots of Polish spam

2015-02-24 Thread Benny Pedersen


On February 24, 2015 11:57:23 PM Axb axb.li...@gmail.com wrote:


I can imagine other Linux Desktops doing the same. Dunno about Windows
or Apple


users is not asked for a filename, since the default seems fine :)

Re: Lots of Polish spam

2015-02-24 Thread Marcin Mirosław

W dniu 2015-02-24 o 21:28, Yves Goergen pisze:
 Am 24.02.2015 um 19:56 schrieb Axb:
 - Please post missed spam samples in pastebin.com - do not post samples
 to mailing lists
 
 It's too many to process them individually in pastebin. Here's an
 archive with ~60 messages in files:
 
 https://drive.google.com/file/d/0B8CN0ghdY1SdSzBqdkswRUdOb0U/view
 
 ZIP password: spam
 (Google thinks there's a virus in it so I needed to encrypt it.)

--- SCAN SUMMARY ---
Known viruses: 4360435
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 58
Infected files: 30

This is with a bunch of unofficial databases for clamav, without foxhole
mentioned by Axb.
With foxhole rules:
--- SCAN SUMMARY ---
Known viruses: 4360690
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 58
Infected files: 50

Imho you should take a look at clamav configuration to reject such emails.

Re: Lots of Polish spam


On 02/24/2015 11:18 PM, John Hardin wrote:

On Tue, 24 Feb 2015, Alex Regan wrote:


Does anyone know/think it would be a good idea to add .pdf.zip to
the mime types reject list? Has anyone seen a real example that wasn't
a virus?


Pretty much *any* double-extension filename is suspect.


*.pdf.zip is a dangerous one to block on sight - FP risk is huge
(got the t-shirt .-)

Re: Lots of Polish spam