datamining, so will look at that in more detail.
I've been scoring "storage.googleapis", however it's used by a lot
of non-security-competent Hammers, so it's difficult to give it more
than a small score.
IMO it would be worthwhile to score it at least a wee bit in case
that would help anybody convince their PHB that it's a Bad Practice.
John, perhaps a meta for style issues, AWS, and googleapis?
- "Chip"
:roll-eyes:
John Hardin: I'll ask for a full bundle from this volunteer (he's in your time
zone), and send you full spamples of everything relevant.
- "Chip"
t hit SA's
"OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests.
The question is, is that broken header pattern in the original, and
if so, should it be detected & scored, in-and-of-itself?
We'd need the most pristine original, before proceding.
>
"Pablo Hess" <692@442.947>
"Elba Olsen" <255@434.964>
"Millie Weber" <041@253.975>
We're killing 100% of these (post plain-vanilla SA), mainly due to
IP Nation tests, lots of custom body phrase tests, and some body
&qu
ccepted way to contact those companies?
Maybe their Postmaster?
Probably a lost cause, but it's frustrating seeing Broke Stuff. :(
- "Chip"
01/28/2018 04:52 PM, David Jones wrote:
> On 01/28/2018 02:25 PM, Benny Pedersen wrote:
>> Chip skrev den 2018-01-28 21:01:
>>> I see that makes sense. Thanks for the clarity.
>>>
>>> However how do you get to 150?
>>>
>>> good DKIM = 100
headers does SpamAssassin cross-reference to ascertain if it's
part of the whitelist?
I'm sure my explanation is revealing some ignorance - don't hesitate to
educate me.
Thanks.
On 01/28/2018 04:52 PM, David Jones wrote:
> On 01/28/2018 02:25 PM, Benny Pedersen wrote:
>>
gt; On 01/28/2018 02:09 PM, David Jones wrote:
>> On 01/28/2018 02:01 PM, Chip wrote:
>>> I see that makes sense. Thanks for the clarity.
>>>
>>> However how do you get to 150?
>>>
>>> good DKIM = 100
>>> good SPF = 100
>>>
>&
I see that makes sense. Thanks for the clarity.
However how do you get to 150?
good DKIM = 100
good SPF = 100
That totals 200
On 01/28/2018 02:53 PM, David Jones wrote:
> On 01/28/2018 12:36 PM, Chip wrote:
>> I have the following in local.cf
>>
>> shortcir
I have the following in local.cf
shortcircuit DKIM_VALID_AU on
shortcircuit SPF_PASS on
score DKIM_VALID_AU -100
score SPF_PASS -100
The question is are all triggers reported in headers (DKIM and SPF), or
just some?
A look at the logs and SA headers shows:
Logs:
2018-01-28 13:24:05 1efrcb-0001
ardin wrote:
> On Mon, 22 Jan 2018, Chip wrote:
>
>> Understood, so then what would a From:name that contains a domain look
>> like since it seems the filter needs to compare the domain found in
>> From:addr to From:name in order to pass it as ham.
>
> From: &quo
Finally! Thank you!
On 01/22/2018 06:32 PM, John Hardin wrote:
> On Mon, 22 Jan 2018, Chip wrote:
>
>> Understood, so then what would a From:name that contains a domain look
>> like since it seems the filter needs to compare the domain found in
>> From:addr to From:nam
Understood, so then what would a From:name that contains a domain look
like since it seems the filter needs to compare the domain found in
From:addr to From:name in order to pass it as ham.
Or am I on another planet altogether here, just say so and I'll shut up.
On 01/22/2018 06:21 PM,
compare to the domain part of
> From:addr.
>
> The "bounces.em.secureserver.net" you're referring to is part of the
> EnvelopeFrom (AKA ReturnPath). This particular check doesn't consider
> that domain name in any way whatsoever.
>
> On Mon, 22 Jan 2018, Chip
On 01/22/2018 05:56 PM, RW wrote:
> On Mon, 22 Jan 2018 17:44:00 -0500
> Chip wrote:
>
>> Following is the full header with identifiable information
>> anonymized.
> I don't see what you are getting at, in:
>
>
> From: blablabla
>
> blablabla doesn't contain an "@".
>
ail address (as in, it lacks a
> valid DKIM and/or doesn't come from a server approved by gmail's SPF
> record). It's just that spoofing isn't a sure-fire way to determine
> that something is spam (if only...).
>
>
>
> On Mon, 22 Jan 2018, Chip wrote:
>
So it's my understanding that SA does the following with this rule,
which is it is checking the From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in the From:addr.
However, when I examine the head
Okay, trying to understand.
You say:
whitelist_auth *@*.chase.com
whitelist_auth serv...@paypal.com
This would trust emails from any subdomain under chase.com and
serv...@paypal.com that hit SPF_PASS or DKIM_VALID_AU rules.
Okay, got that.
But I'm confused when you further expl
wants to pipe in (as
in *pipe* the email via procmail somewhere where a dkim/spf script can
run against it and depending on the result, send it to a certain folder.)
On 01/19/2018 10:05 AM, Dianne Skoll wrote:
> On Thu, 18 Jan 2018 16:01:13 -0500
> Chip wrote:
>
>> I'm tied to a
of addresses.
What is the guess that it will be flooded with spam?
That is what we are setting out to ascertain.
On 01/19/2018 09:43 AM, David Jones wrote:
> On 01/19/2018 08:30 AM, Chip wrote:
>> Good question.
>>
>> Saying why I care about spf and dkim but not spam
Thank you! I see that shortcircuit is already enabled in 320!
I think you really hit on something.
Thanks again!
I knew there was a simple answer.
On 01/19/2018 09:35 AM, David Jones wrote:
> On 01/19/2018 08:24 AM, Chip wrote:
>> Ok point take - I should have mentioned earlier that
of a spoofed from
email address/domain together with an authentic spf and/or dkim is
*less* likely than a spoofed from email address without any spf/dkim.
Collecting statistics, I guess you could say.
On 01/19/2018 09:07 AM, RW wrote:
> On Thu, 18 Jan 2018 18:49:52 -0500
> Chip wrote:
>
priority TEST -100
shortcircuit TEST on
On 01/19/2018 08:38 AM, David Jones wrote:
> On 01/18/2018 05:49 PM, Chip wrote:
>> Very well stated. Bravo!
>>
>> The end point here is to examine the email headers that specifically
>> refer to dkim and spf signatures. Bas
Exactly!
That is why I want to stick with SA because it does know how to do spf
and dkim checks whereas other systems don't unless we install software
to do that.
On 01/18/2018 07:31 PM, Alan Hodgson wrote:
> On Thu, 2018-01-18 at 18:49 -0500, Chip wrote:
>> Very well stated. Br
for
examining emails is attractive.
On 01/18/2018 06:24 PM, Alex Woick wrote:
> Chip schrieb am 18.01.2018 um 23:43:
>> yes I'm starting to see that. I may need to build a box specifically
>> suited for this using procmail. I had hoped that I could stay with
>&g
Thanks for pointing out Sieve. I'll look into that.
It's nice in that it acts on the last procedure - or right before
delivery to the mail folder after all the other dirty work has been done.
thanks.
On 01/18/2018 05:55 PM, Larry Rosenman wrote:
> On Thu, Jan 18, 2018 at 05:43:04P
rking.
On 01/18/2018 05:34 PM, Noel wrote:
> On 1/18/2018 2:09 PM, Chip wrote:
>> Newbie excited to use the features of SpamAssassin for a new project
>> that needs to flag inbound email for sorting into folders (this can be
>> done via cpanel-level filtering) based on
ser preferences.
I would prefer that you do not respond to my inquiries any longer as I
consider you to be somewhat of a harasser.
Please just exit the virtual door and stay away from my inbox.
Thank you.
On 01/18/2018 05:20 PM, Reindl Harald wrote:
>
>
> Am 18.01.2018 um 23:17 schrieb
:
> On 01/18/2018 04:00 PM, Chip wrote:
>> Find this tidbit of information how to find the rules that are loaded
>> with spam assassin:
>>
>> spamassassin --lint -D 2>&1 | grep 'config: read file'
>>
>> I see many, many lines of files.
>>
&g
ad and abandon me and
then tell me I'm lost.
So if you can't simply offer some honest, good, informative advise then
please buzz off.
On 01/18/2018 05:07 PM, Reindl Harald wrote:
>
>
> Am 18.01.2018 um 23:00 schrieb Chip:
>> Find this tidbit of information how to find th
or 0.
There must be a simpler solution to turning off rules than individually
editing each ruleset.
And in the local.cf there are NO rules.
So I'm back to zero here.
On 01/18/2018 04:08 PM, David Jones wrote:
> On 01/18/2018 03:01 PM, Chip wrote:
>> Thank you Shanew for the suggestion
ut 10 domains.
On 01/18/2018 04:08 PM, David Jones wrote:
> On 01/18/2018 03:01 PM, Chip wrote:
>> Thank you Shanew for the suggestion.
>>
>> I'm tied to a Cpanel/WHM VPS which can't be changed. Give that there
>> are some restrictions such as the use of Ex
ink that you'd be better of using something like
> procmail, maildrop (part of Courier), or sieve if want you want is
> sorting without all the overhead of checking for spam.
>
> But maybe I'm not understanding what you want to accomplish...
>
> On Thu, 18 Jan 2018, Chip wrote:
That sounds doable. If I score everything 0 or 999 will things be
overwritten in local.cf on update or elsewhere?
What you are suggesting sounds like a reasonable course of action.
On 01/18/2018 03:29 PM, David Jones wrote:
> On 01/18/2018 02:09 PM, Chip wrote:
>> Newbie excited t
Newbie excited to use the features of SpamAssassin for a new project
that needs to flag inbound email for sorting into folders (this can be
done via cpanel-level filtering) based on keywords in headers (header
search by SA).
This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
SpamAssas
to see an .ics sample.
Has anybody else seen much/any DDE attack variants?
- "Chip"
s and more
diverse ham to run some ham-only MassChecks using the above rules.
I'll share the results.
Has anyone seen the RTF or Calendar/.ics forms of this exploit?
If so, please-please-please post a spample.
- "Chip"
later by a separate app.
For example, Splunk logging is often done via UDP, since it's
typically viewed by humans, and a few second (or often minutes)
delay is not a big issue, and the potential for lost data packets
is less relevant than performance.
- "Chip"
677610925:290
Incident:5858851682625:543
The message text is a fake BBB complaint.
I'll put a sample online tonight, if practical.
The SA scores have ranged from -2.2 to 1.5, with no useful
patterns.
Does anyone have a contact at BitLy? These would be trivially
easy for them to block.
- "Chip"
ts) buying and using that TLD of their
base name.
Even otherwise-Giga-Geeky "stackoverflow" has joined that trend.
I'm still killing that TLD by default, but have significantly
dropped its score in my FP pipeline.
- "Chip"
I've added that to my own MassCheck queue, and will report back.
- "Chip"
y "skip" listing all three scenarios, in
particular DMARC reports (i.e. I never "white" list, I have my
rules segmented into groups that can be easily skipped).
- "Chip"
27;s probably trivial.
>
>It seems to be a diagnostic header that's only added where the URL
>exits.
Thanks! That makes sense. :)
- "Chip"
worst/best-done campaign (WOW/Blizzard/BattleNet) I've ever
seen went on for seven months, with no sign that Gmail even
noticed it. :\
- "Chip"
On Fri, 16 Sep 2016, John Hardin wrote:
>Chip, could you send me some spamples of non-image data: messages
>offlist? The only ones I have anywhere are images.
Sent last week - thanks for your ongoing work on this John! :)
After that request, I decided to add (in my post SA filter)
a min
ing to morph, so at the very least my trickle should
help GoDaddy keep a (putative) detection script up to date.
Plus, it's a TON more satisfying stymying the smarter-than-skwerl
class of spammers. :]
- "Chip"
P.S. Some old friends let me crash with them for the duration of
anks. ;)
They could even be encouraged to send at least one per day, just
for "practice".
*** Does such software exist?
I suspect it may already exist, in which case someone here _WILL_
know of it. :)
It would have to be smart enough to look up the original complete
email just from a (worst case) Outlook/etc forwarded email (only
core headers), so may have to be platform specific (unless IMAP
is sufficient?).
Obligatory disclaimer: I'm a programmer, not a sysadmin.
...though XKCD 705 is among my top 10 favorite Geek webcomics. :)
- "Chip"
5.1 tests=DKIM_SIGNED, DKIM_VALID,
DKIM_VALID_AU, HTML_MESSAGE, MIME_HTML_ONLY, RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL
That puts the inventors of the Hamster Cannon in the lead, in
terms of size and pandering to safe-listing "services". :(
I asked the recipient/survivor of the new duo to forward them to
his own account and tell me how they render in Outlook, and he
kindly sent me a screenshot, mostly to show an alert that Outlook
added:
"If there are problems with how this message is displayed, click here to view
it in a web browser."
Purely IM(subjective)O, that sounds like even Outlook was a bit
disgruntled with it.
- "Chip"
or to each his/her own preferred approach. :)
- "Chip"
y data, and is not showing up
on that Surbl tld page.
Please do share any more that you notice. :)
".men" is going for as low as $1.49.
It's only appearing in some of my domains, but is running
between about 8% and 34% of their snowshoe spam.
- "Chip"
'm posting this in the hope that someone(s) will nudge GoDaddy
and other cheap hosts to scan for offsite redirects, then test
them. The drive-by-javascript at the destinations is obviously
"bad", and trivially easy to recognize.
- "Chip"
scoring non-img "data" rule, and
gently recommend a modest scoring img "data" rule.
Everyone's mileage will vary, as always. :)
- "Chip"
P.S. Javascript... I agree 100% with John, while respecting AXB's
right to disagree and choose his own poison. ;)
I'
Freshly caught Spample:
http://puffin.net/software/spam/samples/0042_data_embedded_phish.txt
The only munging was inserting ".EXAMPLE" between "wellsfargo"
and ".com".
Four years ago, I read this fascinating article:
http://isc.sans.edu/diary/%22Data%22+URLs+used+for+in-URL+phishin
t nuke/quarantine them all.)
A couple of years ago, I changed my post-SA Filter so it always
tests the first few "raw" characters of every MIME Part, and if
they're the prefix that means PKZip, I de-MIME it and send it
thru my zip analyzer, regardless of ContentType or file ext.
I
tld/stream
https://www.domcomp.com/tld/top
The ever-anti-reliable NameCheap is beating the pack at $0.88 per
.stream domain (same as their price for .top), so I expect the
popularity of .stream to continue.
- "Chip"
n requests. Note that all our domains are
"Western" centric, though we have a few accounts who do have
regular contact with Unicode-type nations.
You all know your own email ecologies. :)
+1 to all the sensible remarks about good authorization policies.
The best defense has as many layers as practical. :)
- "Chip"
e zips (when they appeared, as mentioned in my
previous post). That does have a higher FP risk, since it's
reasonable to zip huge doc files, however in practice they're
rare, and I have an excellent Quarantine/FP pipeline.
A friend sent me this cool MagicNumber look up site:
filesignatures.net
Any other suggestions for file types to add?
- "Chip"
:)
We've had a very low FP rate on the above, and haven't had any
noticeable user pushback. There have been enough high profile
infections (at least two hospitals), that most endusers have
been grateful and understanding.
>Doing it properly requires a non-trivial amount of coding.
Ye
uldn't blame any non-techie who succumbed to the double-whammy
of a URL with a very familiar domain sent from the cracked account
of a bona fide friend. :(
- "Chip"
rinsed, stewed,
then decided to post here.
*** Does anyone have a contact at LinkedIn ops? ***
Sadly, LinkedIn follows the Google/Gmail model of failing to make
core functionality (like reporting spam) useable without
disabling/lowering one's browser security settings/shields. :(
- "Chip"
ose. We can individually "skip" list that rule
if needed, just like we already do with Word macros and other
Pakled-icity. ;)
- "Chip"
r "rar" extraction, which may explain the recent rise of
rar javascript email malware).
I've only taken a quick look at the payload. It's javascript, but
definitely different from past campaigns.
I've been seeing a high level of "calibration" spam for over a
week, so I suspect this is a new botnet going live. :(
- "Chip"
Starting about two hours ago, more than 80% of my real-time
honeypot spam is a new malware campaign.
Full spample (with redacted/munged email addresses and
Message-ID):
http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt
This is a variation on an XML file malware campaign that b
ion and on
TLD-to-Nation tests, then retest (with a different balance of
scores) typically about 1 to 48 hours after initial arrival, at
which point more than 99% are on multiple reliable blocklists.
I briefly hand check the rest. That takes much of the stress and
uncertainty out of filtering. :)
- "Chip"
are attachments,
all small, and hitting some of the rare traps that the
stock and calibration payloads have hit.
I have NEVER seen anything like this botnet.
- "Chip"
P.S. If it's of use to anybody, we maintain a list of
scammed stock symbols and scammer phone numbers:
links, X-Mailer, and fake Unsub headers, combined,
are an excellent fingerprint. They're trying to imitate
ESP/Bulk senders, but these are mainly coming from
"normal" ISP IPs. I've added rules that only score those
headers for non-ESP/Bulk IPs.
Of course, the very first thing I did was add "RCHA" to my
list of scammer symbols. :)
- "Chip"
the domain admin for them.
I'm planning some data-mining this weekend, and would be happy
to check more data (mild brag: I finally added flagging to my
data-mining tools, so it will auto-log, even if I forget to
explicitly check). :)
- "Chip"
from Freemailers
Personally, I've jacked up the score of "HTTP_EXCESSIVE_ESCAPES",
however I do see enough legit-but-thick senders who hit it, that I
understand why it's somewhat low.
John H:
I'll send you a couple of raw corpses so you can wave your
RE magic wand. :)
- "Chip"
st the outgoing mail of
new customers. :)
This week, I posted a list of proposed 2013 projects to my
volunteers, and at the top is exporting our MassCheck data for SA.
Also on the list are phish and snowshoe data sharing. :)
As soon as I've finished a couple of timesink projects, I'll start
on those.
- "Chip"
tool!), and with minimal to no other defensive layers.
Let's give the little guy/gal some help. :)
- "Chip"
P.S. I tested this by manually removing the base64 encoded payload,
substituting in the base64 portion of a non-attachment HTML part
from a ham, then reinjecting the ra
y prejudice that
it's ok to score this domain heavily, as long as one has a
good quarantine and FP pipeline.
I'll check some more corpora this weekend, and report back if
there's any non-trivial ham using this domain.
- "Chip"
.
Robert, thanks for asking!
While generating that data, I had an excuse to improve that report.
I also found a "dangling" legacy IP block with a lower spam score,
which should have been deprecated years ago, and now has been. :)
- "Chip"
P.S. The Geek volunteer who h
obust FP pipeline, so what
makes me feel good, may not work as well for everyone. :)
Does anyone know if any mainstream email client can open such a
file?
I don't use Outlook, so maybe someone who does could zip up
something benign, email it to themself, grab the network image,
hack the CT filename as above, re-inject it, then try opening it.
- "Chip"
's a major reason that I expect
these to morph, real soon. :\
In the past, that guy's campaigns have had a similarly low hit
rate on PBL. I've always wondered how he/they achieve that.
- "Chip"
oes have the exact same JPEG header size that
I've previously reported (623 bytes). It also continues this
spammer's use of random (ALWAYS wrong) Realnames in the To header.
Those two tests, plus nation of origin, are my main test hits.
So far, none have snuck thru my last layers of defense.
- "Chip"
8th anniversary of the TV broadcast debut of Firefly. :)
Keep flyin',
- "Chip"
they run the actual
tests, so they have Complete Control. It's been my experience that
not-stupid endusers who are given control are happy users. They're
full participants in the process. :)
- "Chip"
;)
Implementing the basic properties extraction was trivial.
Thinking thru how I wanted to handle the rules was more of a
challenge. :)
Figured I'd share where I'm at, and pick the big brains. :)
- "Chip"
P.S. I am also seriously considering adding the ability to extract
any s
I've added "script.vbs" to my instant-death PDF word
scans.
I'll be asking some of my most diverse volunteers to run some
ham-PDF-only MassChecks tonight, and see if any of my new rules
mis-fire. Given the number of times HTML "naughty" tags appear in
ham, I will resist assuming my "reasonable" restrictions won't hit
any.
- "Chip"
makes perfect sense as a general principle, however, in the
case of these phish, social engineering is the vector for their
display.
Apologies if I'm missing blatant Perl or SA architecture issues,
about which, I am only an egg.
- "Chip"
s (59% today, average of 49% last month), with some
containing garbage/low-ascii characters at the end of the URL.
I've been scoring RU at 95% of kill for a while, so those aren't
an issue (for me). Technically, those have been ramping up for a
while.
- "Chip"
appears Digg does not check any
blocklists. :(
These services are just too dang tempting a target, so I expect
these campaigns to continue.
More fevered ramblings from one of your mostly harmless Iowa Geeks,
- "Chip"
use Nation-based
testing (they aren't forced to include all of the USA, when all
they really want is eBay/Paypal/etc).
I hope that's both clear and useful.
I've got a rather bad case of flu, which led to me :) wanting to
hand verify several hundred phish hits, but it could also have
resulted in more obtuse language than usual from me.
- "Chip"
also aware of the issues surrounding people potentially
>uploading images and then linking to them from spam websites or
>spam. That's why I've put http referer restrictions in place.
Perhaps redirecting to an image saying something like
"this is spam"? :)
What about requiring registration? Yes, it's not enough to
stop the most determined, but will whittle it down to the least
stupid.
- "Chip"
seen a tiny
trickle of viral stuff forged as coming from them, but they're
a logical target. Pre-emptive first strike... with spam, there's
no reason not to. :)
Good luck!
- "Chip"
tious, since MY Ham is not YOUR Ham. :)
When in doubt, score and/or quarantine.
- "Chip"
o, it's worth considering a CAUTIOUS
score.
John Hardin wrote:
>sa-update won't bring 3.2.1 up to 3.2.5; you're not getting the
>up-to-date rules, which may catch those.
+1
Always VERY good advice, particularly given the age difference. :)
- "Chip"
he Russia TLD
1 contained a BlogSpot subsite
4 were AdvanceFee scams
I also found 518 of those had forged the SMTP Sender as being the
same domain (and probably the exact same account) as the Recipient.
You might want to make some meta rules for those two cases (China
TLD in a URL, Sender == Recipient).
- "Chip"
DOB ("Day Old Bread") had the same problem last year:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200810.mbox/%3cva.33f1.14690...@news.conactive.com%3e
With software bugs, lightning often DOES strike twice in the same
spot. :)
- "Chip"
rch. :)
We're split among several different hosts, so the only way it would
be viable to use your lists in real-time, would be to set up our own
DNS server, only known to project members. Since most of us are only
receiving a trickle of snowshoe spam, that's not viable at this time.
The ones who receive more than a trickle, receive a FLOOD. As I
mentioned, in some cases 80% of their FNs are from snowshoers.
- "Chip"
currently scored at the equivalent of
about 1 SA point.
I forgot to mention another combo test:
if it's on both Barracuda and the Day-Old-Bread list, I add the
equivalent of about 1 SA point. Zero FPs so far.
I'll review all those scores and tests in a few more weeks.
- "Chip"
This snowshoe stuff has been a PITA for a while.
For most of my users (particularly the Geeks), it's not even on their
radar.
For others, (inluding my most complex domain), 80% of their FNs are
from snowshoers.
As well as the usual battery of anti-spam tests,
I'm using a layered/meta approach of
Dennis Hardy wrote:
>Do people generally have good non-FP experience with BRBL? I am
>thinking of bumping up the score, but I get so much spam per day
>it is hard to check for FPs with it enabled.
Dennis, it depends on what sort of ham your people receive.
For evaluation purposes, I've been runni
those as simple rules.
Other than borked mailing lists, can anyone recall seeing either of
those patterns in a legitimate emailed URL?
Stay dry,
- "Chip"
urus will whip you up a rule. :)
Is there anything else that stands out in these?
- "Chip"
eople that way, report
>them to Google.
I commend your optimism. :)
- "Chip"
P.S. After a slow start, Uribl's fan-tastic new subsite listings are
producing excellent results. We auto-quarantine all Blogspot, Geocities,
etc emails, then re-run Uribl a few hours later, and are averaging about a
75% to 95% hit rate! Pretty good for such a new project. :)
triggers on _ANY_ "unusual" params in a Google url? In other words,
enumerate the legit ones, and score all others.
The only legit form of pre-emptive strike is the kind against spammers
(IMO). :)
- "Chip"
late-ish, I could be missing the obvious.)
- "Chip"
The latest variant is "gooogle.com", which is a legit alias for Google,
and appears to work with all the regular spammer trick parameters.
I've also seen two more google TLD variants.
- "Chip"
cated users is so high, that
a 1-7 day delay is acceptable, given that these almost always occur in
non-business marketing junk.
It really boils down to your userbase and your available tools.
- "Chip"
1 - 100 of 123 matches
Mail list logo
