Re: well, isnt that special...
rich...@buzzhost.co.uk wrote: > On Thu, 2009-11-26 at 08:57 +0100, Per Jessen wrote: >> rich...@buzzhost.co.uk wrote: >> >> > On Wed, 2009-11-25 at 14:04 -0500, Alex wrote: >> >> > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP >> >> >> >> Nah, use REJECT so you get that immediate satisfaction :-) >> >> >> >> Alex >> > >> > NO NO NO NO NO! >> > Drop has the effect of tarpitting them :-) >> >> Not quite, tarpitting is the next step. >> >> >> /Per Jessen, Zürich >> > Hence 'The effect', that is - to delay progress. They send SYN, no > answer (but they wait for the answer) hence, has the effect. Very true - I was thinking more in terms of the iptables tarpit module. I think there is a postgrey tarpit extension too. /Per Jessen, Zürich
Re: well, isnt that special...
On Thu, 2009-11-26 at 08:57 +0100, Per Jessen wrote: > rich...@buzzhost.co.uk wrote: > > > On Wed, 2009-11-25 at 14:04 -0500, Alex wrote: > >> > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP > >> > >> Nah, use REJECT so you get that immediate satisfaction :-) > >> > >> Alex > > > > NO NO NO NO NO! > > Drop has the effect of tarpitting them :-) > > Not quite, tarpitting is the next step. > > > /Per Jessen, Zürich > Hence 'The effect', that is - to delay progress. They send SYN, no answer (but they wait for the answer) hence, has the effect. Sure, it's not as good as redirecting them to, say port 2525 where a dedicated FUAMTA is waiting, but I'm considering that :-)
Re: well, isnt that special...
rich...@buzzhost.co.uk wrote: > On Wed, 2009-11-25 at 14:04 -0500, Alex wrote: >> > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP >> >> Nah, use REJECT so you get that immediate satisfaction :-) >> >> Alex > > NO NO NO NO NO! > Drop has the effect of tarpitting them :-) Not quite, tarpitting is the next step. /Per Jessen, Zürich
[OT] Re: well, isnt that special...
Hi, > not relevant to Spamassassin, is it? > > if you have to go way off topic at pleas be considerat and add an OT: tag to > the subject.. > /dev/null > > or try: http://spam-l.com/mailman/listinfo Yes, very much OT. I was following along with the other iptables comments. Thanks for the pointer to spam-l. Alex
Re: well, isnt that special...
On 11/25/2009 11:29 PM, Alex wrote: iptables -A FIREWALL -s 127.0.0.0/8 -j DROP Very good. That was nearly funny :-) Why don't you add: iptables -A FIREWALL -s 0.0.0.0/0 -j DROP and enjoy the silence :-) Trouble is that you have to be the one that drives to the colo to eventually undo the rules :-) Speaking of fw rules, has anyone considered something to automate the SANS top 10? http://isc.sans.org/top10.html Would that be effective? not relevant to Spamassassin, is it? if you have to go way off topic at pleas be considerat and add an OT: tag to the subject.. > /dev/null or try: http://spam-l.com/mailman/listinfo
Re: well, isnt that special...
>> iptables -A FIREWALL -s 127.0.0.0/8 -j DROP >> > Very good. That was nearly funny :-) Why don't you add: > iptables -A FIREWALL -s 0.0.0.0/0 -j DROP and enjoy the silence :-) Trouble is that you have to be the one that drives to the colo to eventually undo the rules :-) Speaking of fw rules, has anyone considered something to automate the SANS top 10? http://isc.sans.org/top10.html Would that be effective? Alex
Re: well, isnt that special...
On Wed, 2009-11-25 at 14:04 -0500, Alex wrote: > > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP > > Nah, use REJECT so you get that immediate satisfaction :-) > > Alex NO NO NO NO NO! Drop has the effect of tarpitting them :-) As the Supremes sang; "Set me free why don't you baby? You just keep me hangin' on"
Re: well, isnt that special...
On Wed, 2009-11-25 at 19:20 +0100, Benny Pedersen wrote: > On ons 25 nov 2009 18:55:11 CET, "rich...@buzzhost.co.uk" wrote > > Any more ranges most welcome :-) > > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP > Very good. That was nearly funny :-) Why don't you add: iptables -A FIREWALL -s 0.0.0.0/0 -j DROP and enjoy the silence :-)
Re: well, isnt that special...
On Wed, Nov 25, 2009 at 1:49 PM, R-Elists wrote: > > > umm side note, i spose to Tara... > > is Constant Contact like the default email marketing system (or one of > them) > for salesforce.com or whatever other large "online" customer management > software??? or do you own them or they own you or what is the scoop? > > Someone recently developed an API to port your salesforce contacts to CC (same permission standards apply). There are a few others out there like Quickbooks I think who have built similar APIs. Any reason in particular? Tara
Re: well, isnt that special...
> iptables -A FIREWALL -s 127.0.0.0/8 -j DROP Nah, use REJECT so you get that immediate satisfaction :-) Alex
RE: well, isnt that special...
> > uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b} > score LOCAL_URI_C_CONTACT 12 > describe LOCAL_URI_C_CONTACT contains link to > constant contact [dot] com > thanks Ned, i do have a coupla companies that use CC for email so i wont totally whack. they are getting a bit to generous on those marking emails to me though. umm side note, i spose to Tara... is Constant Contact like the default email marketing system (or one of them) for salesforce.com or whatever other large "online" customer management software??? or do you own them or they own you or what is the scoop? - rh
RE: well, isnt that special...
thanks Tara, not the hugest biggie... yet since we are only on a few select lists and use this email address, i figured several others on this list were getting it too i did forward both to abuse at your site with headers happy gobble gobble everyone! - rh I've got Compliance on it already thanks. And if I find the money pile I'll let ya know. ;) I'll report back to you what they find.
Re: well, isnt that special...
On ons 25 nov 2009 18:55:11 CET, "rich...@buzzhost.co.uk" wrote Any more ranges most welcome :-) iptables -A FIREWALL -s 127.0.0.0/8 -j DROP -- xpoint
Re: well, isnt that special...
On Wed, 2009-11-25 at 17:34 +, Ned Slider wrote: > Aaron Wolfe wrote: > > On Wed, Nov 25, 2009 at 12:04 PM, Ned Slider wrote: > >> R-Elists wrote: > >>> > >>> on a much more important note, can those on the list that have a good > >>> handle > >>> on better filtering spam and/or UCE from Constant please share your SA > >>> info > >>> on that please? > >>> > >> Here's mine: > >> > >> uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b} > >> score LOCAL_URI_C_CONTACT 12 > >> describeLOCAL_URI_C_CONTACT contains link to constant contact > >> [dot] com > >> > >> Got fed up with these clowns a long time ago so I hammer anything from them > >> on sight. > > > > That score is a bit extreme, but I've also found that a small positive > > score is appropriate for constantcrap mail. > > > > -Aaron > > > > Indeed, and I wouldn't advocate anyone following *my* scoring, just > posted the rule as an example of one way to whack this particular mole :) > > I chose the high score to counteract any dns whitelists or AWL negative > scoring etc that may otherwise rescue their crap from being marked as > spam on my system. If there's anything I particularly want I can > whitelist it, but the default action here is to tag and quarantine all > mail from Constant Contact. The high score probably also reflects my > level of frustration with them at the time I wrote the rule! I don't think that's harsh at all Ned. I have a different solution: #CHEETAH (EXPERIAN) iptables -A FIREWALL -s 66.165.100.0/24 -j DROP #CONSTANT CONTACT iptables -A FIREWALL -s 63.251.0.0/16 -j DROP iptables -A FIREWALL -s 66.151.234.144/28 -j DROP iptables -A FIREWALL -s 208.75.120.0/22 -j DROP #dotmailer offenders iptables -A FIREWALL -s 80.87.10.0/30 -j DROP iptables -A FIREWALL -s 80.87.10.4/31 -j DROP iptables -A FIREWALL -s 80.87.10.6/32 -j DROP Any more ranges most welcome :-)
Re: well, isnt that special...
Aaron Wolfe wrote: On Wed, Nov 25, 2009 at 12:04 PM, Ned Slider wrote: R-Elists wrote: on a much more important note, can those on the list that have a good handle on better filtering spam and/or UCE from Constant please share your SA info on that please? Here's mine: uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b} score LOCAL_URI_C_CONTACT 12 describeLOCAL_URI_C_CONTACT contains link to constant contact [dot] com Got fed up with these clowns a long time ago so I hammer anything from them on sight. That score is a bit extreme, but I've also found that a small positive score is appropriate for constantcrap mail. -Aaron Indeed, and I wouldn't advocate anyone following *my* scoring, just posted the rule as an example of one way to whack this particular mole :) I chose the high score to counteract any dns whitelists or AWL negative scoring etc that may otherwise rescue their crap from being marked as spam on my system. If there's anything I particularly want I can whitelist it, but the default action here is to tag and quarantine all mail from Constant Contact. The high score probably also reflects my level of frustration with them at the time I wrote the rule!
Re: well, isnt that special...
On Wed, Nov 25, 2009 at 12:04 PM, Ned Slider wrote: > R-Elists wrote: >> >> just got spammed via constant contact via Aloha Communications Group on >> our >> "email lists" email address from afrit...@aloha-com.ccsend.com >> >> obviously trolling for email addresses >> >> would the Constant Contact employee(s) and advocate on this list please >> kick >> some hiney after you are done rolling around in the money pile? >> >> on a much more important note, can those on the list that have a good >> handle >> on better filtering spam and/or UCE from Constant please share your SA >> info >> on that please? >> > > Here's mine: > > uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b} > score LOCAL_URI_C_CONTACT 12 > describe LOCAL_URI_C_CONTACT contains link to constant contact > [dot] com > > Got fed up with these clowns a long time ago so I hammer anything from them > on sight. That score is a bit extreme, but I've also found that a small positive score is appropriate for constantcrap mail. -Aaron
Re: well, isnt that special...
R-Elists wrote: just got spammed via constant contact via Aloha Communications Group on our "email lists" email address from afrit...@aloha-com.ccsend.com obviously trolling for email addresses would the Constant Contact employee(s) and advocate on this list please kick some hiney after you are done rolling around in the money pile? on a much more important note, can those on the list that have a good handle on better filtering spam and/or UCE from Constant please share your SA info on that please? Here's mine: uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b} score LOCAL_URI_C_CONTACT 12 describeLOCAL_URI_C_CONTACT contains link to constant contact [dot] com Got fed up with these clowns a long time ago so I hammer anything from them on sight.
Re: well, isnt that special...
On Wed, Nov 25, 2009 at 10:53 AM, R-Elists wrote: > > > just got spammed via constant contact via Aloha Communications Group on our > "email lists" email address from afrit...@aloha-com.ccsend.com > > obviously trolling for email addresses > > would the Constant Contact employee(s) and advocate on this list please > kick > some hiney after you are done rolling around in the money pile? > > I've got Compliance on it already thanks. And if I find the money pile I'll let ya know. ;) I'll report back to you what they find.
Re: well, isnt that special...
On Nov 25, 2009, at 10:12 AM, Michael Scheidell wrote: > R-Elists wrote: >> on a much more important note, can those on the list that have a good handle >> on better filtering spam and/or UCE from Constant please share your SA info >> on that please? >> > header CONSTANTCONTACT List-Unsubscribe =~ /\bconstantcontact\.com\b/ > score CONSTANTCONTACT 0.6 > > we score it pretty low since most of the constantcontact users arn't abusers. > but we score it, keep track of it, and clients complain about missed spam, > we bump it up, then drop it down when FP, then bump it up.. > (rinse, repeat) This is mostly conjecture on my part but I think CC does some of the work for you. For years we did SMTP level rejects from roving.com hosts and this seemed to have blocked a lot of the CC crap.I think CC may segregate unknown/untrusted senders in roving.com rather than constantcontact.com. At any rate no one ever complained about the roving.com block until we had a customer who couldn't send themselves mail from their own lists. Knowing this customer only reinforces my theory because their lists are dirty as hell. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Re: well, isnt that special...
R-Elists wrote: just got spammed via constant contact via Aloha Communications Group on our "email lists" email address from afrit...@aloha-com.ccsend.com obviously trolling for email addresses would the Constant Contact employee(s) and advocate on this list please kick some hiney after you are done rolling around in the money pile? on a much more important note, can those on the list that have a good handle on better filtering spam and/or UCE from Constant please share your SA info on that please? - rh header CONSTANTCONTACT List-Unsubscribe =~ /\bconstantcontact\.com\b/ score CONSTANTCONTACT 0.6 we score it pretty low since most of the constantcontact users arn't abusers. but we score it, keep track of it, and clients complain about missed spam, we bump it up, then drop it down when FP, then bump it up.. (rinse, repeat) _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _