Re: google domains spam
On 2021-03-01 11:19, Matus UHLAR - fantomas wrote: do you want to say, only delegated domains are searched, not subdomains? On 01.03.21 15:25, Benny Pedersen wrote: yes spamassasin works this way I apparently missed docs about this. And, frankly, it'a apparently not ideal, at least for my case. I don't have sh.pm nor SH.cf on my server. I don't even use DQS... you dont need dqs, read agin, only inspired by the rules could be usefull to test redirect to maybe just one nameserver could hit them all i just dont know if spamassassin resolve redirect domains here goo.gl can be (and is) blacklisted successfully: clear_uridnsbl_skip_domain goo.gl -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: google domains spam
On 2021-03-01 11:19, Matus UHLAR - fantomas wrote: do you want to say, only delegated domains are searched, not subdomains? yes spamassasin works this way I don't have sh.pm nor SH.cf on my server. I don't even use DQS... you dont need dqs, read agin, only inspired by the rules could be usefull to test redirect to maybe just one nameserver could hit them all i just dont know if spamassassin resolve redirect domains here
Re: google domains spam
On 2021-02-28 12:26, Matus UHLAR - fantomas wrote: How can I make SA to rbl-check for subdomain, not just google.com domain? On 28.02.21 15:58, Benny Pedersen wrote: 2nd tld cf file or On 01.03.21 11:19, Matus UHLAR - fantomas wrote: do you want to say, only delegated domains are searched, not subdomains? seems that adding configuring google.com as delegation point helped: util_rb_2tldgoogle.com * 3.5 L_URIBL_FANTOMAS contains locally blocklisted URI * [URIs: sites.google.com] but I'm not sure if this is proper solution. not that I expect google.com appear in blacklists... https://github.com/spamhaus/spamassassin-dqs/blob/master/SH.pm#L78 change SH.cf to sh_local.cf to your own rbldnsd the sh.pm module have more funtions then used, but it can be used with more testing with or without dqs keys note the 2nd tld would be global change while the sh.pm is not I don't have sh.pm nor SH.cf on my server. I don't even use DQS... hope its usefull partly useful. Your sugestion was not, but your hint was... thanks -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
Re: google domains spam
On 2021-02-28 12:26, Matus UHLAR - fantomas wrote: How can I make SA to rbl-check for subdomain, not just google.com domain? On 28.02.21 15:58, Benny Pedersen wrote: 2nd tld cf file or do you want to say, only delegated domains are searched, not subdomains? https://github.com/spamhaus/spamassassin-dqs/blob/master/SH.pm#L78 change SH.cf to sh_local.cf to your own rbldnsd the sh.pm module have more funtions then used, but it can be used with more testing with or without dqs keys note the 2nd tld would be global change while the sh.pm is not I don't have sh.pm nor SH.cf on my server. I don't even use DQS... hope its usefull -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Re: google domains spam
On 2021-02-28 12:26, Matus UHLAR - fantomas wrote: How can I make SA to rbl-check for subdomain, not just google.com domain? 2nd tld cf file or https://github.com/spamhaus/spamassassin-dqs/blob/master/SH.pm#L78 change SH.cf to sh_local.cf to your own rbldnsd the sh.pm module have more funtions then used, but it can be used with more testing with or without dqs keys note the 2nd tld would be global change while the sh.pm is not hope its usefull
google domains spam
Hi gyus, last time I received too many spam with links to sites.google.com and goo.gl redirects. The sites.google.com website containg "report" links, however after about a week of reporting them all, spam containing the same site comes and the site is not removed. The goo.gl does not seem to contain any place for reporting spams. Seems that it was deprecated but still somehow works. I have decided to locally blacklist them both (I run local rbldns, with IP and domain-based blacklists). urirhsblL_URIBL_FANTOMASrhsbl.fantomas.sk. TXT bodyL_URIBL_FANTOMASeval:check_uridnsbl('URIBL_FANTOMAS') However, both goo.gl and google.com are skipped with scanning: /var/lib/spamassassin/3.004004/updates_spamassassin_org/25_uribl.cf:uridnsbl_skip_domain go.com google.com googleadservices.com grisoft.com /var/lib/spamassassin/3.004004/updates_spamassassin_org/25_uribl.cf:uridnsbl_skip_domain gappssmtp.com github.com goo.gl google-analytics.com I can unlist locally both: clear_uridnsbl_skip_domain goo.gl google.com However, goo.gl seems to be catched: * 3.5 L_URIBL_FANTOMAS contains locally blocklisted URI * [URIs: goo.gl] but sites.google.com is not. Seems SA only calls domain, not subdomains: Feb 28 12:21:21.173 [8745] dbg: async: calling callback on key DNSBL:google.com:rhsbl.fantomas.sk, rule L_URIBL_FANTOMAS Feb 28 12:21:21.173 [8745] dbg: uridnsbl: complete_dnsbl_lookup L_URIBL_FANTOMAS DNSBL:google.com:rhsbl.fantomas.sk How can I make SA to rbl-check for subdomain, not just google.com domain? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: Google Forms spam
On 2021-02-21 15:55, Alex wrote: It seems Google Forms is being used to send links to malicious sites and junk. It's making it through because of USER_IN_DEF_DKIM_WL. Is it time to remove Google/Gmail from this rule? adjust that score on dkim wl score USER_IN_DEF_DKIM_WL (4) (4) (4) (4) Perhaps a meta that combines USER_IN_DEF_DKIM_WL with BAYES_99 adds the points back? its your spamassassin, cant see why you accepts scores Perhaps just blocking .link domains altogether? Of course we could just add body rules ad infinitum... that url is listed in URIBL_BLACK score URIBL_BLACK (4) (4) (4) (4) https://pastebin.com/gqBJa2DB i sav you aswell do SHORTCIRCUIT why ?
Google Forms spam
Hi, It seems Google Forms is being used to send links to malicious sites and junk. It's making it through because of USER_IN_DEF_DKIM_WL. Is it time to remove Google/Gmail from this rule? Perhaps a meta that combines USER_IN_DEF_DKIM_WL with BAYES_99 adds the points back? Perhaps just blocking .link domains altogether? Of course we could just add body rules ad infinitum... https://pastebin.com/gqBJa2DB
Re: google and spam
On Mon, 14 Dec 2020 16:54:11 +0100 Reindl Harald wrote: > Am 14.12.20 um 16:32 schrieb RW: > > > The list does not break DKIM (as part of DMARC) in my experience > > oh come on! > Over the last two years I've had 202 DMARC fails reach gmail through this list (only a small minority of fails were rejected). If I eliminate those without an author aligned signature and those that signed list-* headers, that reduces to just 4 over 2 years. All of the remaining 4 failed DKIM in Apache's AR header on the way in to the system before they reached the list software, and all 4 were from amateur run SOHO mail systems.
Re: google and spam
On Mon, 14 Dec 2020, Dominic Raferd wrote: On 14/12/2020 11:01, Iulian Stan wrote: I am also receiving a lot of spam from google (aparently always domain is trix.bounces.google.com) https://pastebin.com/DW6dvdxP <https://pastebin.com/DW6dvdxP> To my surprise, you seem to be right. In my logs I have a number of these (but not a huge number) over the last year, they have almost all been blocked by SA (not using bayes) - but not blocked by earlier defences. I have received only a handful of such mails that have passed SA; now when I check them all definitely spam/phishing. The IPs all seem to be Google's (within CIDR 209.85.128.0/17). I'm going to add a couple of points scoring to anything from trix.bounces.google.com. I'll add a rule for that to my sandbox and we'll see what happens. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The belief in one’s own moral superiority eventually erases the conscience. After all, if one is morally superior to others, then no conscience is needed. All actions and behaviors are acceptable because they’re done in an effort to make the world a better place. -- I Editorial --- Tomorrow: Bill of Rights day
Re: google and spam
test again from my real domain :) On 2020-12-14 17:32, RW wrote: On Mon, 14 Dec 2020 11:01:59 + (UTC) Iulian Stan wrote: Hi all, First of all i am writing this email from yahoo One of the worst freemail choices for mailing lists because of its DMARC reject policy. because from my own domain it seems it's not working because i have DMARC setup and apparently something(maybe ezml) is messing up with the headers. The list does not break DKIM (as part of DMARC) in my experience, unless the the sending domain has done something that makes it incompatible with mailing lists. e.g. signing the absence of a list-* header. The list itself doesn't appear to reject DMARC fails because almost all such posts that aren't received at gmail still make it to the gmane newserver (news.gmane.io). If your posts aren't seen on gmane, it's likely nothing to do with DMARC.
Re: google and spam
Hello, Cristal clear for the DMARC issue that i've had. Any others has any thoughts about trix.bounces.google.com and the spam that we receive ? Best regards, Iulian On 2020-12-14 19:39, RW wrote: On Mon, 14 Dec 2020 18:46:15 +0200 iulian stan wrote: DKIM-Signature: ... h=...:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; If you sign these headers without adding them all once in your original message, you are signing their absence. This breaks DKIM and DMARC in mailing lists.
Re: google and spam
On Mon, 14 Dec 2020 18:46:15 +0200 iulian stan wrote: > DKIM-Signature: ... > h=...:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; If you sign these headers without adding them all once in your original message, you are signing their absence. This breaks DKIM and DMARC in mailing lists.
Re: google and spam
I see a deluge of spam from google.com, catched at FROM, all containing an @NXDOMAIN. Google is tripping on its own shoe laces in this period. Original Message On Dec 14, 2020, 12:01, Iulian Stan wrote: > Hi all, > > First of all i am writing this email from yahoo because from my own domain it > seems it's not working because i have DMARC setup and apparently > something(maybe ezml) is messing up with the headers. If you have any ideea > to whom should i address i will more than happy :) > > I am also receiving a lot of spam from google (aparently always domain is > trix.bounces.google.com) and all spam is using google forms. > For me the problem is solved(meaning that all of these spam is going to > quarantine and bayes is learning about those) but i was wondering if: > > 1) Since email are coming from google how come google is not doing anything? > > 2) Are those spam sent manually ? It will be a nightmare for a spammer to do > this but how come there not any limitation coming from google if spam are > sent via mass-bulk programs/interfaces/etc? > > 3) I am using also a local(my own) RBL which is trained with IPs from spam. > It is queried by spammasssin because i don't want to reject from MTA but use > it in conjunction with others scores/rules. Now i have doubts that if i keep > adding IPs from google i will end up having all google MTAs added and legit > email might be hurt in the progress. What do you think ? Do you have insides > about this trix.bouces.google.com? Looking on RBL doesn't looks too great and > it seems from his domain there is spam which is actively sent. > > 4) I though that maybe google launch something similar with sendgrid but i > don't find any reference about it and also the envelope-from are different i > didn't found a common denominator. Few examples: > > envelope-from > <3lxrkxxqobqgumoiuqttqwva.rjfiarllqitwojzivl.zcwnnqkmoajmb...@trix.bounces.google.com> > envelope-from > <3qte3xwgjbdml8usyttw5bz7a.1dbz0jh35h03i...@trix.bounces.google.com> > envelope-from > <3sentxxqjbtgj8n8l4g4ha5i.54hechaag4cf.6igi99c68am58n...@trix.bounces.google.com> > envelope-from > <3pgtvxxmjbqkrwox0lkwkjwt.x0p.wppvjru.lxvjk31np1kn2...@trix.bounces.google.com> > envelope-from > <3qc7wxxijdt4rw.wfxmjjifgizqm99lrfnq.htrhtxrns.lfnyfslxgjy...@trix.bounces.google.com> > envelope-from > <3vt3kxwwjdvwqymqymqmrk55kqemp.gsqmsryx.tixvmwsvkwfix...@trix.bounces.google.com> > envelope-from > <3uxldxwsjd4gymp6m645uzjsymux.o0yo045qx.stq03stqs4nq5...@trix.bounces.google.com> > > Above also a full example of an email: > > https://pastebin.com/DW6dvdxP > > Thanks in advance, > Iulian
Re: google and spam
On Mon, 14 Dec 2020 11:01:59 + (UTC) Iulian Stan wrote: > Hi all, > First of all i am writing this email from yahoo One of the worst freemail choices for mailing lists because of its DMARC reject policy. > because from my own domain it seems it's not working because i > have DMARC setup and apparently something(maybe ezml) is messing up > with the headers. The list does not break DKIM (as part of DMARC) in my experience, unless the the sending domain has done something that makes it incompatible with mailing lists. e.g. signing the absence of a list-* header. The list itself doesn't appear to reject DMARC fails because almost all such posts that aren't received at gmail still make it to the gmane newserver (news.gmane.io). If your posts aren't seen on gmane, it's likely nothing to do with DMARC.
Re: google and spam
On 14/12/2020 11:01, Iulian Stan wrote: Hi all, First of all i am writing this email from yahoo because from my own domain it seems it's not working because i have DMARC setup and apparently something(maybe ezml) is messing up with the headers. If you have any ideea to whom should i address i will more than happy :) I am also receiving a lot of spam from google (aparently always domain is trix.bounces.google.com) and all spam is using google forms. For me the problem is solved(meaning that all of these spam is going to quarantine and bayes is learning about those) but i was wondering if: 1) Since email are coming from google how come google is not doing anything? 2) Are those spam sent manually ? It will be a nightmare for a spammer to do this but how come there not any limitation coming from google if spam are sent via mass-bulk programs/interfaces/etc? 3) I am using also a local(my own) RBL which is trained with IPs from spam. It is queried by spammasssin because i don't want to reject from MTA but use it in conjunction with others scores/rules. Now i have doubts that if i keep adding IPs from google i will end up having all google MTAs added and legit email might be hurt in the progress. What do you think ? Do you have insides about this trix.bouces.google.com? Looking on RBL doesn't looks too great and it seems from his domain there is spam which is actively sent. 4) I though that maybe google launch something similar with sendgrid but i don't find any reference about it and also the envelope-from are different i didn't found a common denominator. Few examples: envelope-from <3lxrkxxqobqgumoiuqttqwva.rjfiarllqitwojzivl.zcwnnqkmoajmb...@trix.bounces.google.com> ... Above also a full example of an email: https://pastebin.com/DW6dvdxP <https://pastebin.com/DW6dvdxP> To my surprise, you seem to be right. In my logs I have a number of these (but not a huge number) over the last year, they have almost all been blocked by SA (not using bayes) - but not blocked by earlier defences. I have received only a handful of such mails that have passed SA; now when I check them all definitely spam/phishing. The IPs all seem to be Google's (within CIDR 209.85.128.0/17). I'm going to add a couple of points scoring to anything from trix.bounces.google.com.
google and spam
Hi all, First of all i am writing this email from yahoo because from my own domain it seems it's not working because i have DMARC setup and apparently something(maybe ezml) is messing up with the headers. If you have any ideea to whom should i address i will more than happy :) I am also receiving a lot of spam from google (aparently always domain is trix.bounces.google.com) and all spam is using google forms.For me the problem is solved(meaning that all of these spam is going to quarantine and bayes is learning about those) but i was wondering if: 1) Since email are coming from google how come google is not doing anything? 2) Are those spam sent manually ? It will be a nightmare for a spammer to do this but how come there not any limitation coming from google if spam are sent via mass-bulk programs/interfaces/etc? 3) I am using also a local(my own) RBL which is trained with IPs from spam. It is queried by spammasssin because i don't want to reject from MTA but use it in conjunction with others scores/rules. Now i have doubts that if i keep adding IPs from google i will end up having all google MTAs added and legit email might be hurt in the progress. What do you think ? Do you have insides about this trix.bouces.google.com? Looking on RBL doesn't looks too great and it seems from his domain there is spam which is actively sent. 4) I though that maybe google launch something similar with sendgrid but i don't find any reference about it and also the envelope-from are different i didn't found a common denominator. Few examples: envelope-from <3lxrkxxqobqgumoiuqttqwva.rjfiarllqitwojzivl.zcwnnqkmoajmb...@trix.bounces.google.com>envelope-from <3qte3xwgjbdml8usyttw5bz7a.1dbz0jh35h03i...@trix.bounces.google.com>envelope-from <3sentxxqjbtgj8n8l4g4ha5i.54hechaag4cf.6igi99c68am58n...@trix.bounces.google.com>envelope-from <3pgtvxxmjbqkrwox0lkwkjwt.x0p.wppvjru.lxvjk31np1kn2...@trix.bounces.google.com>envelope-from <3qc7wxxijdt4rw.wfxmjjifgizqm99lrfnq.htrhtxrns.lfnyfslxgjy...@trix.bounces.google.com>envelope-from <3vt3kxwwjdvwqymqymqmrk55kqemp.gsqmsryx.tixvmwsvkwfix...@trix.bounces.google.com>envelope-from <3uxldxwsjd4gymp6m645uzjsymux.o0yo045qx.stq03stqs4nq5...@trix.bounces.google.com> Above also a full example of an email: https://pastebin.com/DW6dvdxP Thanks in advance,Iulian
Re: Google Docs spam and __URI_GOOGLE_DOC
On Fri, 16 Oct 2020, Ricky Boone wrote: Good afternoon. I'm seeing an increase in spam/phishing that is utilizing Google Docs. I see a rule that seems to be intended to flag certain Google Docs related URLs, but not the ones I'm seeing. 72_active.cf:uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i The URLs I'm seeing don't match that regex. They all appear to have the following prefix: https://docs.google.com/document/d/e/ I think it might be useful to update the pattern to something like the following, so it could be used by other meta rules, but thought I'd check with the community first: m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:id|formkey)=|document),i Thoughts or opinions? I'll put something into my sandbox to see how the new pattern performs in masscheck. If you can upload some spamples to pastebin and post their URIs here so that we can see what they look like, that would be very helpful. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Justice is justice, whereas "social justice" is code for one set of rules for the rich, another for the poor; one set for whites, another set for minorities; one set for straight men, another for women and gays. In short, it's the opposite of actual justice. -- Burt Prelutsky --- 18 days until the Presidential Election
Google Docs spam and __URI_GOOGLE_DOC
Good afternoon. I'm seeing an increase in spam/phishing that is utilizing Google Docs. I see a rule that seems to be intended to flag certain Google Docs related URLs, but not the ones I'm seeing. 72_active.cf:uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i The URLs I'm seeing don't match that regex. They all appear to have the following prefix: https://docs.google.com/document/d/e/ I think it might be useful to update the pattern to something like the following, so it could be used by other meta rules, but thought I'd check with the community first: m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:id|formkey)=|document),i Thoughts or opinions?
Google/Yahoo Spam
Hi all, I'm seeing an increase in Google Reader and yahoo groups/personals/profile spam. Here's an example of the Google Reader spam: http://pastebin.com/m1021fc5f Any ideas on how to catch this one? For the Yahoo spam (with links to yahoo sites ending in '/1', I've created these: uriLOC_YAHOO1 m{http://groups\.yahoo\.com\/}i score LOC_YAHOO1 0 1.5 0 1.5 describe LOC_YAHOO1 Contains groups.yahoo.com uri uriLOC_YAHOO2 m{http://profile\.yahoo\.com\/}i score LOC_YAHOO2 0 1.5 0 1.5 describe LOC_YAHOO2 Raw body contains profile.yahoo uriLOC_YAHOO3 m{http://personals\.yahoo\.com\/}i score LOC_YAHOO3 0 1.5 0 1.5 describe LOC_YAHOO3 Raw body contains personals.yahoo They're somewhat paired down because I'm not very good at pattern matching, so thought someone could improve on this? Thanks, Alex
Re: Google/Yahoo Spam
On Thu, 2009-08-27 at 12:38 -0400, MySQL Student wrote: I'm seeing an increase in Google Reader and yahoo groups/personals/profile spam. Any ideas on how to catch this one? For the Yahoo spam (with links to yahoo sites ending in '/1', I've created these: Thus should catch your set and more: uri LOC_YAHOO /^http:.{1,40}\.yahoo[.,]com/i scoreLOC_YAHOO 0 1.5 0 1.5 describe LOC_YAHOO Contains *.yahoo.com uri Or, if you want to be more specific, try this: uri LOC_YAHOO /^http:\/\/(groups|profile|personals)\.yahoo[.,]com/i scoreLOC_YAHOO 0 1.5 0 1.5 describe LOC_YAHOO Contains yahoo.com groups/profile/personals uri Martin
google group spam
hi i am using this rule to catch spam with a google group link, uri __GOOGLEGROUPS_15 m'http://[^.]{15}\.googlegroups\.com'i meta NN_GOOGLEGROUPS_15 __GOOGLEGROUPS_15 __GOOGLEGROUPS_NUM describe NN_GOOGLEGROUPS_15 Contains a suspicious googlegroups URI. scoreNN_GOOGLEGROUPS_15 2 but now i am getting a new type of one which the rules doesnt catch http://groups.google.com/group/ can someone please help me write a rule for this link? __ Information from ESET NOD32 Antivirus, version of virus signature database 3973 (20090329) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: google group spam
On 29-Mar-2009, at 16:42, JC Putter wrote: uri __GOOGLEGROUPS_15 m'http://[^.]{15}\.googlegroups\.com'i meta NN_GOOGLEGROUPS_15 __GOOGLEGROUPS_15 __GOOGLEGROUPS_NUM describe NN_GOOGLEGROUPS_15 Contains a suspicious googlegroups URI. scoreNN_GOOGLEGROUPS_15 2 but now i am getting a new type of one which the rules doesnt catch http://groups.google.com/group/ can someone please help me write a rule for this link? uri __GOOGLEGROUPS_15 m'http://groups\.google\.com\/group\/'i I dunno what the {15} was meant to accomplish (why 15 characters specifically? 14 is not suspicious? 37 is not suspicious either?), but that will match any google groups link in the form you posted. -- The Piper's calling you to join him
Google groups spam
i am getting spam from google groups my only is is 0.5 FREEMAIL_FROM DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1238042388; bh=qIS1L4iJc6kS4EAxGGA7apkYn+LwwewDsELAo62Dcak=; h=Message-ID:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=coeLPEfdbLl2Ig4TFp32RXGnt7XFXN6jCjnKMOuT5alLSf95saEPX7QpRXPwRM9szfyGhexZDpNeAdedQl9R8O5NzCItwPH1MiBNahzDiHSFlMAQ2Op4AfMFWyDAvTCIdNAIUZ/ZCNdNweCk+m18OvC7+aPtXqNu1FlzUkmDW5U= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=omde1HhUPO/Yv4E0WxLDIZM3Tm/kWcpzlI+JZuU5WS7W5E6fNxmpce78CJtMsUMktITBL17QLO7aB37/lSvnvSH/pHha+oHE/BChq44wF/fMXBgicPIfOockc1saRFomTQ1svt5pmfTDzpaap5PP4fRaHSeT0TKlTi2ci/+qdX8=; Message-ID: 321141.24213...@web43503.mail.sp1.yahoo.com Received: from [200.92.27.171] by web43503.mail.sp1.yahoo.com via HTTP; Wed, 25 Mar 2009 21:39:48 PDT X-Mailer: YahooMailClassic/5.1.20 YahooMailWebService/0.7.289.1 Date: Wed, 25 Mar 2009 21:39:48 -0700 (PDT) From: Jeff Roland telexedyplut...@yahoo.com Subject: Amateur sluts in juicy action with beasts To: damdeloui...@yahoo.com, jcput...@centreweb.co.za, antiganbo...@hotmail.com, db_hypno...@hotmail.com, chrisrobis...@mac.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-centreweb_co_za-MailScanner-Information: Please contact the ISP for more information X-centreweb_co_za-MailScanner-ID: 53A6037EF19.5E10D X-centreweb_co_za-MailScanner: Found to be clean X-centreweb_co_za-MailScanner-From: telexedyplut...@yahoo.com X-Spam-Status: No Old-X-EsetId: 4B64842AE47139695462847DE92575 X-EsetId: 4B64842AE47139695462847DE92575 X-EsetScannerBuild: 4669 # google group URL contains .. uri NN_GOOGLE_GROUP_DD m'www\.google\.com/.*\.\..*/group/'i describe NN_GOOGLE_GROUP_DD Link to a Google group contains '..' scoreNN_GOOGLE_GROUP_DD 4 # google group url contains question mark uri NN_GOOGLE_GROUP_QM m'google\.com/.*group/[^?]{6,}\?[^?]{6}'i describe NN_GOOGLE_GROUP_QM Highly suspect link to a google group scoreNN_GOOGLE_GROUP_QM 4 uri __GOOGLEGROUPS_15 m'http://[^.]{15}\.googlegroups\.com'i uri __GOOGLEGROUPS_NUM m'http://[^.]*[0-9][^.]*\.googlegroups\.com'i meta NN_GOOGLEGROUPS_15 __GOOGLEGROUPS_15 __GOOGLEGROUPS_NUM describe NN_GOOGLEGROUPS_15 Contains a suspicious googlegroups URI. scoreNN_GOOGLEGROUPS_15 2 __ Information from ESET NOD32 Antivirus, version of virus signature database 3963 (20090325) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Google groups spam
On 3/26/2009 9:44 AM, JC Putter wrote: i am getting spam from google groups my only is is 0.5 FREEMAIL_FROM http://www.rulesemporium.com/rules/90_2tld.cf helps quite a bit afaik, sa-update will keep it updated via Daryl's channel.
Re: Google groups spam
On Thu, 2009-03-26 at 10:44 +0200, JC Putter wrote: i am getting spam from google groups Oh, come on -- feel free to actually talk to us, mention details, and maybe even ask a real question... ;) [snipp headers] Please do NOT paste raw messages, snippets or full headers here. Please DO use a pastebin or your web server to upload the full, raw message, including headers *and* body, and provide a link. [snipp uri rules] Useless, since you didn't provide the raw body, but headers only. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Google groups spam
On Thu, March 26, 2009 09:44, JC Putter wrote: i am getting spam from google groups my only is is 0.5 FREEMAIL_FROM DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1238042388; dont abuse google, its dkim signed at yahoo.com :) -- http://localhost/ 100% uptime and 100% mirrored :)
Re: Google docs spam
Arvid Ephraim Picciani wrote: On Wednesday 21 May 2008 12:12:11 ram wrote: Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting s ystem this is new. spammers are fast :( This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt same here. 0.0 points. (without bayes) The spamsource is still not listet anywhere. Reporting to spamcop might be an option. Looks like a czech dialup, i wonder why they are not listet in the PBL. Maybe one can write a rule for those: Received: from [77.48.35.201] (unknown [10.10.1.25]) by smtp-sfn.sitkom.cz (atre there any dnsbls for reserved IPS?) do you means bogons. There is bogons.cymru.org. See http://www.team-cymru.org/Services/Bogons/
Google docs spam
Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram
Re: Google docs spam
On Wednesday 21 May 2008 12:12:11 ram wrote: Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting s ystem this is new. spammers are fast :( This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt same here. 0.0 points. (without bayes) The spamsource is still not listet anywhere. Reporting to spamcop might be an option. Looks like a czech dialup, i wonder why they are not listet in the PBL. Maybe one can write a rule for those: Received: from [77.48.35.201] (unknown [10.10.1.25]) by smtp-sfn.sitkom.cz (atre there any dnsbls for reserved IPS?) -- best regards Arvid Ephraim Picciani
Re: Google docs spam
On Wednesday 21 May 2008 5:12 am, ram wrote: Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram It scored pretty high here: pts rule name description -- -- 0.0 STOX_REPLY_TYPESTOX_REPLY_TYPE 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=202.162.229.17,rdns=mail1.example.com,baddns] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4976] -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [cpollock 1117; Body=1 Fuz1=1 Fuz2=1] 10 CLAMAV Clam AntiVirus detected a virus 1.0 SAGREY Adds 1.0 to spam from first-time senders ClamAv sig is below: X-Spam-Virus: Yes (Email.Spam.Gen3183.Sanesecurity.08051617) -- Chris KeyID 0xE372A7DA98E6705C pgpAos4NAcrRZ.pgp Description: PGP signature
Re: Google docs spam
Chris schrieb: On Wednesday 21 May 2008 5:12 am, ram wrote: Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram It scored pretty high here: pts rule name description -- -- 0.0 STOX_REPLY_TYPESTOX_REPLY_TYPE 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=202.162.229.17,rdns=mail1.example.com,baddns] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4976] -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [cpollock 1117; Body=1 Fuz1=1 Fuz2=1] 10 CLAMAV Clam AntiVirus detected a virus 1.0 SAGREY Adds 1.0 to spam from first-time senders ClamAv sig is below: X-Spam-Virus: Yes (Email.Spam.Gen3183.Sanesecurity.08051617) Hi Chris, why not blocking such mails before getting them to spamassassin use clamv-milter at income smtp level with http://www.sanesecurity.co.uk/clamav/ sigs -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Google docs spam
ram wrote: Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram I am slow. How are they doing this? I couldn't even figure it out looking at the example e-mail.
Re: Google docs spam
On Wed, May 21, 2008 13:48, Robert Schetterer wrote: Hi Chris, why not blocking such mails before getting them to spamassassin use clamv-milter at income smtp level with http://www.sanesecurity.co.uk/clamav/ sigs its not as virus, its spam detected in clamav, virus do something ! Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Google link spam?
Is anyone else getting these google link spams? They all seem to be endowment ad. Like this... Is it small? http://www.gooogle.com/search? Anyone got a rule to kill these? -- Mike B^)
Re: Google link spam?
On Tue, 22 Jan 2008, Mike Yrabedra wrote: Is anyone else getting these google link spams? Yes, we've been discussing them for the past week. It's a good idea to check the list archives before asking if there are rules for a particular type of spam. http://www.gooogle.com/search? Anyone got a rule to kill these? Check the list archives for messages with google in the subject. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #4: If your shooting stance is good, you're probably not moving fast enough nor using cover correctly. --- 5 days until the 41st anniversary of the loss of Apollo 1
Re: Google link spam?
On Tue, 2008-01-22 at 17:31 -0800, John D. Hardin wrote: On Tue, 22 Jan 2008, Mike Yrabedra wrote: Is anyone else getting these google link spams? I've not had any complaints about them sneaking past the existing rules. Yes, we've been discussing them for the past week. It's a good idea to check the list archives before asking if there are rules for a particular type of spam. Anyone got a rule to kill these? I've run John Hardin's rule all afternoon, and from amongst about 12000 spams I only saw two that hit: Jan 22 17:29:23 sa amavis[16122]: (16122-14) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, score=7.843 tag=-99 tag2=4.5 kill=6.31 tests=[BODY_ENHANCEMENT=1.608, DNS_FROM_RFC_BOGUSMX=2.125, GOOG_MALWARE_URI=0.1, L_P0F_W=1, RELAY_CN=3, RELAY_US=0.01], autolearn=disabled, quarantine OOrIFqr7nOr2 (spam-quarantine) Jan 22 17:30:22 sa amavis[16422]: (16422-19) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, score=7.843 tag=-99 tag2=4.5 kill=6.31 tests=[BODY_ENHANCEMENT=1.608, DNS_FROM_RFC_BOGUSMX=2.125, GOOG_MALWARE_URI=0.1, L_P0F_W=1, RELAY_CN=3, RELAY_US=0.01], autolearn=disabled, quarantine hiQD+uJgfngb (spam-quarantine) Both were detected without the rule. I'll watch it for the remainder of the week before I decide whether I should keep it. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part