Re: MailChimp with link to javascript/zip malware

MailChimp allows their clients to send links to MailChimp-hosted zipped malware. This is negligence at best, criminal at worst. Sent from ProtonMail Mobile On Thu, Oct 19, 2017 at 10:00 PM, David Jones wrote: > On 10/19/2017 02:38 PM, Alex wrote: > Hi, > > On Thu, Oct 19, 2017 at 12:32 > PM,

Re: MailChimp with link to javascript/zip malware

Hi, On Thu, Oct 19, 2017 at 10:35 PM, Bill Cole wrote: > On 19 Oct 2017, at 21:15 (-0400), Alex wrote: > >> Why wouldn't you just run the sample I provided through spamassassin >> again? > > > 1. I have no way of knowing what your LOCAL configuration is but I'm certain > that it is substantially

Re: MailChimp with link to javascript/zip malware

>> Why wouldn't you just run the sample I provided through spamassassin >> again? > > 1. I have no way of knowing what your LOCAL configuration is but I'm certain > that it is substantially unlike any I would put into production use. It > includes rules not in the standard set, short-circuits at le

Re: MailChimp with link to javascript/zip malware

On 19 Oct 2017, at 21:15 (-0400), Alex wrote: Why wouldn't you just run the sample I provided through spamassassin again? 1. I have no way of knowing what your LOCAL configuration is but I'm certain that it is substantially unlike any I would put into production use. It includes rules not in

Re: MailChimp with link to javascript/zip malware

On Thu, Oct 19, 2017 at 6:22 PM, Bill Cole wrote: > On 19 Oct 2017, at 17:59 (-0400), Alex wrote: > >> Hi, >> >> On Thu, Oct 19, 2017 at 4:04 PM, Bill Cole >> wrote: >>> >>> On 19 Oct 2017, at 15:38 (-0400), Alex wrote: >>> Third day, third set of false-negatives (20 this time) whitelisted >

Re: MailChimp with link to javascript/zip malware

On 19 Oct 2017, at 17:59 (-0400), Alex wrote: Hi, On Thu, Oct 19, 2017 at 4:04 PM, Bill Cole wrote: On 19 Oct 2017, at 15:38 (-0400), Alex wrote: Third day, third set of false-negatives (20 this time) whitelisted through mailchimp https://pastebin.com/6vkxNXxX I had removed the mcsv.net b

Re: MailChimp with link to javascript/zip malware

Hi, On Thu, Oct 19, 2017 at 4:04 PM, Bill Cole wrote: > On 19 Oct 2017, at 15:38 (-0400), Alex wrote: > >> Third day, third set of false-negatives (20 this time) whitelisted >> through mailchimp >> >> https://pastebin.com/6vkxNXxX >> >> I had removed the mcsv.net but forgot mcdlv.net. It's still

Re: MailChimp with link to javascript/zip malware

Hi, On Thu, Oct 19, 2017 at 4:00 PM, David Jones wrote: > On 10/19/2017 02:38 PM, Alex wrote: >> >> Hi, >> >> On Thu, Oct 19, 2017 at 12:32 PM, Alex wrote: >>> >>> Hi, >>> >>> On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald >>> wrote: Am 19.10.2017 um 16:50 schrieb Alex: > > >

Re: MailChimp with link to javascript/zip malware

On 19 Oct 2017, at 15:38 (-0400), Alex wrote: Third day, third set of false-negatives (20 this time) whitelisted through mailchimp https://pastebin.com/6vkxNXxX I had removed the mcsv.net but forgot mcdlv.net. It's still not being tagged properly without the whitelisting. That one hit USER_I

Re: MailChimp with link to javascript/zip malware

On 10/19/2017 02:38 PM, Alex wrote: Hi, On Thu, Oct 19, 2017 at 12:32 PM, Alex wrote: Hi, On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald wrote: Am 19.10.2017 um 16:50 schrieb Alex: My bayes is trained such that most marketing emails are bayes99. I've also now removed mcsv.net from the wh

Re: MailChimp with link to javascript/zip malware

Hi, On Thu, Oct 19, 2017 at 12:32 PM, Alex wrote: > Hi, > > On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald > wrote: >> Am 19.10.2017 um 16:50 schrieb Alex: >>> >>> My bayes is trained such that most marketing emails are bayes99. I've >>> also now removed mcsv.net from the whitelist and see it

Re: MailChimp with link to javascript/zip malware

Hi, On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald wrote: > Am 19.10.2017 um 16:50 schrieb Alex: >> >> My bayes is trained such that most marketing emails are bayes99. I've >> also now removed mcsv.net from the whitelist and see it resulted in 70 >> messages from mcsv.net being caught today, all

Re: MailChimp with link to javascript/zip malware

Hi, >> Another email from a whitelisted mailchimp address that contains malware. >> >> https://pastebin.com/ay83iWjC >> >> It's also not tagged when not whitelisted, and I hoped someone had >> some ideas on what further can be done to block it. >> >> Complicating things, it's in Italian. >> >> I'v

Re: improving detection to cloudmark-like levels?

On 19 Oct 2017, at 5:18 (-0400), Jari Fredriksson wrote: > Hit points like 10 points for this issue BAD_TLD are just killing my=20 > system, which will report to spamcop, razor and pyzor without manual=20 > intervention :( I don't really know the Razor or Pyzor policy, as I believe they are desig

Re: improving detection to cloudmark-like levels?

On 10/19/2017 5:18 AM, Jari Fredriksson wrote: The mail is ham from sourceforge.net. I'm able to deliver the post to=20 KAM if he is willing to look at it. It's a rule likely to FP but yes, there are instructions in KAM.cf about FP reports.  I've lowered the score on that rule. Regards, KA

Re: improving detection to cloudmark-like levels?

On 10/19/2017 04:18 AM, Jari Fredriksson wrote: David Jones kirjoitti 13.10.2017 14:16: On 10/13/2017 04:45 AM, Jari Fredriksson wrote: I don't use Kam.cf as it is very prone to false=20 positives and way too aggressively scored by default. I'm pretty happy= =20 with my curren

Re: improving detection to cloudmark-like levels?

Auto report on spam with 10+ AS points. All other spam is manually reported. br. jarif Jari Fredriksson kirjoitti 19.10.2017 12:18: David Jones kirjoitti 13.10.2017 14:16: On 10/13/2017 04:45 AM, Jari Fredriksson wrote: I don't use Kam.cf as it is very prone to false=20 po

Re: improving detection to cloudmark-like levels?

David Jones kirjoitti 13.10.2017 14:16: On 10/13/2017 04:45 AM, Jari Fredriksson wrote: I don't use Kam.cf as it is very prone to false=20 positives and way too aggressively scored by default. I'm pretty happy= =20 with my current setup with 3.4.1 though. =20 =20 If you are ha