On Tue, 04 Jun 2013 00:23:33 +0200
Axb axb.li...@gmail.com wrote:
Dave sells boxes - if a client needs more resources, Dave will
happily sell him more boxes .-)
:) Actually, we don't sell boxes. We sell ISO images.
Anyway, the cost of hardware is relatively cheap and it's a one-time
cost
David B Funk skrev den 2013-06-03 21:34:
Why not just block connections from infected PCs?
pbl is not infected, its spamhaus dynamic ips that do not send mail
direct to mx, this list is splitted into 2, one of them is isp managed,
and the other is spamhaus managed, whetter or not the
David B Funk skrev den 2013-06-03 23:02:
Maybe the lack of Received: headers could be used as the basis for an
SA rule.
How many legit MTAs are there that don't add Received: headers?
Hopefully none.
imho all mta add atleast one last recieved header, this part cant be
abused of spammers,
Dave Warren skrev den 2013-06-03 23:45:
Unless you run submitted outbound mail through SpamAssassin, in which
case you could expect a VERY high false positive rate. While
SpamAssassin isn't fantastic for this particular role, it can help
you
catch compromised accounts/systems before they spew
John Hardin skrev den 2013-06-04 00:22:
Suggestions for likely combinations are welcome, but at this time the
masscheck corpora only show less than 5% direct-to-MX spam vs. 20%
ham. Whether that's an indication that spambots are in a lull or the
corpora doesn't represent actual spam reality
John Hardin skrev den 2013-06-04 00:22:
Suggestions for likely combinations are welcome, but at this time the
masscheck corpora only show less than 5% direct-to-MX spam vs. 20%
ham. Whether that's an indication that spambots are in a lull or the
corpora doesn't represent actual spam reality
David B Funk skrev den 2013-06-03 23:02:
Maybe the lack of Received: headers could be used as the basis for
an SA rule.
How many legit MTAs are there that don't add Received: headers?
Hopefully none.
On 04.06.13 13:26, Benny Pedersen wrote:
imho all mta add atleast one last recieved header,
Matus UHLAR - fantomas skrev den 2013-06-04 15:19:
note that many servers consider sender address verification as abuse.
if thay do, feel free to block it, no recipient will see problem doing
so
note that i do spf test before sender address verification, that way i
keep it low abuse, if
On Tue, 04 Jun 2013 15:32:17 +0200
Benny Pedersen m...@junc.eu wrote:
Matus UHLAR - fantomas skrev den 2013-06-04 15:19:
note that many servers consider sender address verification as
abuse.
note that i do spf test before sender address verification, that way
i keep it low abuse, if you
Matus UHLAR - fantomas skrev den 2013-06-04 15:20:
some do but after milters are checked. That's why e.g. sa-milter must
fake
Received: headers when passing the mail to spamassassin.
basicly yes, but why not test client ip rbl in mta stage ?- sa-milter
is one milter that is basicly brokken,
David F. Skoll skrev den 2013-06-04 15:34:
On Tue, 04 Jun 2013 15:32:17 +0200
Benny Pedersen m...@junc.eu wrote:
Matus UHLAR - fantomas skrev den 2013-06-04 15:19:
note that many servers consider sender address verification as
abuse.
note that i do spf test before sender address
Matus UHLAR - fantomas skrev den 2013-06-04 15:20:
some do but after milters are checked. That's why e.g. sa-milter
must fake
Received: headers when passing the mail to spamassassin.
On 04.06.13 15:35, Benny Pedersen wrote:
basicly yes, but why not test client ip rbl in mta stage ?
what
Matus UHLAR - fantomas skrev den 2013-06-04 16:13:
besically broken in what way? That it fakes Received: header so the
mail can
be processed with SA without SA hacks?
milter api is, milters just test what is in milter api, so error is
design in milter api not in sendmail mta / postfix mta,
On Tue, 04 Jun 2013 16:43:17 +0200
Benny Pedersen m...@junc.eu wrote:
it would be better if libmilter api did the fake recieved so all
milters get consistense
No. Individual milters should decide whether or not they need to fake
a Received: header. It's not a policy that should be imposed
On 6/2/2013 at 12:30 PM, Wolfgang Zeikat wolfgang.zei...@desy.de wrote:
In an older episode, on 2013-06-02 16:16, David F. Skoll wrote:
3) Envelope sender is in the nacha.org domain
2 days ago, we received hundreds of mails with that envelope sender
domain containing malware like
On 06/03/2013 12:04 PM, Joe Acquisto-j4 wrote:
On 6/2/2013 at 12:30 PM, Wolfgang Zeikat wolfgang.zei...@desy.de wrote:
In an older episode, on 2013-06-02 16:16, David F. Skoll wrote:
3) Envelope sender is in the nacha.org domain
2 days ago, we received hundreds of mails with that envelope
On 6/3/2013 at 6:08 AM, Axb axb.li...@gmail.com wrote:
On 06/03/2013 12:04 PM, Joe Acquisto-j4 wrote:
On 6/2/2013 at 12:30 PM, Wolfgang Zeikat wolfgang.zei...@desy.de wrote:
In an older episode, on 2013-06-02 16:16, David F. Skoll wrote:
3) Envelope sender is in the nacha.org domain
2 days
On 06/03/2013 12:04 PM, Joe Acquisto-j4 wrote:
What's interesting to me is that nacha is the standards (my term)
association (www.nacha.org) for ach (the automated check clearing house)
which does such things as direct deposit and other transactions.
On 03.06.13 12:08, Axb wrote:
As they're
On Mon, 3 Jun 2013 14:28:36 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
you should look at Received: headers to see who passed the mail to
you and complain to abuse@ there. If the mail came from nacha.org, the
ab...@nacha.org is the right place to send complaints..
There were no
David F. Skoll skrev den 2013-06-03 14:52:
There were no Received: headers in my samples. They were directly
injected
by compromised Windows boxes.
and your own mta will not add one ? :)
hmp!
--
senders that put my email into body content will deliver it to my own
trashcan, so if you
On Mon, 03 Jun 2013 15:08:55 +0200
Benny Pedersen m...@junc.eu wrote:
[DFS says no Received: headers]
and your own mta will not add one ? :)
My MTA will add a header if I let it relay the mail. These messages
were intercepted and stopped as they came in, so I see whatever
headers they had *at
On Mon, 3 Jun 2013 14:28:36 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
you should look at Received: headers to see who passed the mail to
you and complain to abuse@ there. If the mail came from nacha.org, the
ab...@nacha.org is the right place to send complaints..
On 03.06.13
On Mon, 3 Jun 2013 16:11:28 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
I believe you are able to track network admins of connecting IPs. Or,
simply check theis rDNS (forward-confirmed) and contact
abuse@delegated.domain...
Well yeah, but in the example I posted the machine
On Mon, 3 Jun 2013, David F. Skoll wrote:
On Mon, 3 Jun 2013 16:11:28 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
I believe you are able to track network admins of connecting IPs. Or,
simply check theis rDNS (forward-confirmed) and contact
abuse@delegated.domain...
Well yeah, but
On Mon, 3 Jun 2013 14:34:30 -0500 (CDT)
David B Funk dbf...@engineering.uiowa.edu wrote:
Do you not like connection-oriented RBLs? That client IP address is in
both cbl.abuseat.org pbl.spamhaus.org lists as an infected client.
We run an anti-spam service for about 100K users and sell
On Mon, 3 Jun 2013, David F. Skoll wrote:
On Mon, 3 Jun 2013 14:28:36 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
you should look at Received: headers to see who passed the mail to
you and complain to abuse@ there. If the mail came from nacha.org, the
ab...@nacha.org is the right
On 2013-06-03 14:02, David B Funk wrote:
On Mon, 3 Jun 2013, David F. Skoll wrote:
On Mon, 3 Jun 2013 14:28:36 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
you should look at Received: headers to see who passed the mail to
you and complain to abuse@ there. If the mail came from
Hi,
Do you not like connection-oriented RBLs? That client IP address is in
both cbl.abuseat.org pbl.spamhaus.org lists as an infected client.
We run an anti-spam service for about 100K users and sell appliances
that filter for many more. Paying for RBLs is not cost-effective at
that
On Mon, 3 Jun 2013, David B Funk wrote:
On Mon, 3 Jun 2013, David F. Skoll wrote:
There were no Received: headers in my samples. They were directly
injected by compromised Windows boxes.
Maybe the lack of Received: headers could be used as the basis for an SA
rule. How many legit MTAs
On 06/03/2013 11:51 PM, Alex wrote:
Hi,
Do you not like connection-oriented RBLs? That client IP address is in
both cbl.abuseat.org pbl.spamhaus.org lists as an infected client.
We run an anti-spam service for about 100K users and sell appliances
that filter for many more. Paying for RBLs
Hi,
Is anyone seeing a rash of spams with these characteristics?
1) Subject is RE: Hello
2) From: header is randomly-generated first_l...@somedomain.com
3) Envelope sender is in the nacha.org domain
4) SPF fails
5) Message body consists only of this:
Im fine thanks , RandomFirstName
On Sun, Jun 02, 2013 at 10:16:56AM -0400, David F. Skoll wrote:
Hi,
Is anyone seeing a rash of spams with these characteristics?
Similar waves occur from time to time.
My guess (in order of sophistication):
- someone's just not able to use their spam software
- probing
- bayes / awl
In an older episode, on 2013-06-02 16:16, David F. Skoll wrote:
3) Envelope sender is in the nacha.org domain
2 days ago, we received hundreds of mails with that envelope sender
domain containing malware like
Case_05312013_28192.exe extracted from the attachment Case_3375975.zip
And
33 matches
Mail list logo
