Re: Mailsploit and RFC1342 and spoofed From

>Hi Pedro, yes but I do not have the ability to share it but I've bcc'd someone >who does to see if they can mail it to the list. >Since the rule I made target effectively all of the mailsploit exploits and >it's already public, it should be safe.  But I don't know if he used domains >he

Re: Mailsploit and RFC1342 and spoofed From

On 12/8/2017 2:34 AM, Pedro David Marco wrote: >The tests are not working because of aws send limits. Unlikely to work. You are right Kevin... fool me.. is there any pastebin sample??? Hi Pedro, yes but I do not have the ability to share it but I've bcc'd someone who does to see if they can

Re: Mailsploit and RFC1342 and spoofed From

>The tests are not working because of aws send limits. Unlikely to work. >Regards, >KAM You are right Kevin... fool me.. is there any pastebin sample??? PedroD

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 7:02 PM, Giovanni Bechis wrote: On 12/08/17 00:59, Kevin A. McGrail wrote: On 12/7/2017 6:39 PM, Giovanni Bechis wrote: unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical

Re: Postmaster Blog

On 12/7/2017 1:45 PM, Zulma Pape wrote: Anyone have any links or rss feeds to stay updated on ISPs latest changes ? Here's the Aol postmaster blog :http://postmaster-blog.aol.com/rss.xml Looking for something similar or better ! The AOL Postmaster page has been reference level for a long

Postmaster Blog

Hi, Anyone have any links or rss feeds to stay updated on ISPs latest changes ? Here's the Aol postmaster blog :http://postmaster-blog.aol.com/rss.xml Looking for something similar or better !

Re: Mailsploit and RFC1342 and spoofed From

On 12/08/17 00:59, Kevin A. McGrail wrote: > On 12/7/2017 6:39 PM, Giovanni Bechis wrote: >> unfortunately I cannot use KAM.cf out of the box because some scores are >> completely wrong in my environment (working with strange tld, chinese >> people, medical terms that are sometimes abused, ...),

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 6:39 PM, Giovanni Bechis wrote: unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical terms that are sometimes abused, ...), so I have to download the file every now and than

Re: Mailsploit and RFC1342 and spoofed From

On 12/08/17 00:19, Kevin A. McGrail wrote: > On 12/7/2017 4:20 PM, John Hardin wrote: >> >> I was more thinking about coverage for people who aren't using KAM.cf, but >> your comment about needing enough examples in the masscheck corpus to >> promote and score the rule is relevant - perhaps it

Re: Mailsploit and RFC1342 and spoofed From

On Thu, 7 Dec 2017, Kevin A. McGrail wrote: On 12/7/2017 4:20 PM, John Hardin wrote: I was more thinking about coverage for people who aren't using KAM.cf, but your comment about needing enough examples in the masscheck corpus to promote and score the rule is relevant - perhaps it is

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 4:20 PM, John Hardin wrote: I was more thinking about coverage for people who aren't using KAM.cf, but your comment about needing enough examples in the masscheck corpus to promote and score the rule is relevant - perhaps it is important enough to add as a base header rule,

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 11:47 AM, John Hardin wrote: Is that going into the base SA rules as well? The SA rule prop system is not conducive to how my company works.  The delays are too long to publish rules.  I support it in concept but as of yet do not have an easiest lift to support it. I need

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 4:20 PM, John Hardin wrote: I was more thinking about coverage for people who aren't using KAM.cf, but your comment about needing enough examples in the masscheck corpus to promote and score the rule is relevant - perhaps it is important enough to add as a base header rule,

Re: Mailsploit and RFC1342 and spoofed From

On Thu, 7 Dec 2017, Kevin A. McGrail wrote: On 12/7/2017 11:47 AM, John Hardin wrote: Is that going into the base SA rules as well? The SA rule prop system is not conducive to how my company works.  The delays are too long to publish rules.  I support it in concept but as of yet do not

Re: Mailsploit and RFC1342 and spoofed From

I managed to run a test about an hour ago on my first try, so maybe AWS upped his limit or demand has slowed down. Or maybe I just got lucky... YMMV On Thu, 7 Dec 2017, Kevin A. McGrail wrote: The tests are not working because of aws send limits. Unlikely to work. Regards, KAM On December

Re: Mailsploit and RFC1342 and spoofed From

The tests are not working because of aws send limits. Unlikely to work. Regards, KAM On December 7, 2017 1:57:41 PM EST, Pedro David Marco wrote: >You can get tests here... >https://www.mailsploit.com/index#demo > >---PedroD.

Re: Mailsploit and RFC1342 and spoofed From

You can get tests here... https://www.mailsploit.com/index#demo ---PedroD.

Re: Mailsploit and RFC1342 and spoofed From

On Thu, 7 Dec 2017, Kevin A. McGrail wrote: On 12/7/2017 9:31 AM, Alex wrote: https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/ Same issue and the rule I wrote yesterday effectively blocks all the published issues.  I'll make some nuance changes to make it broader

Re: MSBL Email Blocklist (EBL) SA usage query

On Thu, 7 Dec 2017, Kevin A. McGrail wrote: On 12/7/2017 10:37 AM, Nels Lindquist wrote: What's the minimum version of SA required? The warning is present on CentOS 7 with the latest repository version of SA (3.4.0) installed. 3.4.1.  It requires "registryboundaries" which was introduced

Re: MSBL Email Blocklist (EBL) SA usage query

On 12/7/2017 10:37 AM, Nels Lindquist wrote: What's the minimum version of SA required? The warning is present on CentOS 7 with the latest repository version of SA (3.4.0) installed. 3.4.1.  It requires "registryboundaries" which was introduced in 3.4.1 as noted by AXB. Regards, KAM

Re: MSBL Email Blocklist (EBL) SA usage query

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2017/11/23 4:59 AM, Kevin A. McGrail wrote: > AS = SA. Regards, KAM > > On November 23, 2017 6:57:46 AM EST, "Kevin A. McGrail" > wrote: > > Upgrade AS and that should fix it. Happy Thanksgiving, KAM > > On

Re: Whitelisting Sprint with no domain security

On Wed, 6 Dec 2017 18:03:00 -0800 (PST) John Hardin wrote: > On Wed, 6 Dec 2017, Alex wrote: > > > John wrote: > >> It's TVD_SPACE_RATIO plus some exclusions of hits on hammy rules. > > > > My point was, does it make sense for this rule to apply to an email > > with just an image

Re: Whitelisting Sprint with no domain security

Hi, >>> I shouldn't as your entry was: >>> >>> whitelist_from_rcvd *@pm.sprintpcs.com sprintpcs.com >>> >>> when the sprint addresses are on pm.sprint.com - i.e. without the 'pcs'. >> >> >> My apologies; I typed this from memory. The whitelist entry is correct > > > what about compose *one* mail

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 9:31 AM, Alex wrote: Hi, Is this something we should be concerned with? https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/ There was a thread the other day regarding UTF and encoding, but I don't think this is the same? Same issue and the rule I wrote

Mailsploit and RFC1342 and spoofed From

Hi, Is this something we should be concerned with? https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/ There was a thread the other day regarding UTF and encoding, but I don't think this is the same?

Re: Whitelisting Sprint with no domain security

Hi, >> >> https://pastebin.com/cYtygBY9 >> >> >> >> I've tried: >> >> >> >> whitelist_from_rcvd *@pm.sprintpcs.com sprintpcs.com >> >> >> >> Ideas greatly appreciated. >> > >> > >> > Try to capture an example message as close to the version that gets >> > fed to your SA as you can. (Your pastebin

Re: Whitelisting Sprint with no domain security

On Wed, 6 Dec 2017 20:51:32 -0500 Alex wrote: > Hi, > > >> What is TVD_SPACE_RATIO_MINFP? That appears to be a complex rule, > >> but adds 2.5 points to a basic email with just an image attachment. > >> > >> https://pastebin.com/cYtygBY9 > >> > >> I've tried: > >> > >> whitelist_from_rcvd