On lør 13 mar 2010 02:14:02 CET, Michelle Konzack wrote
The roblem is, accourding to the RFCs, ISP must have an abuse address,
but do you have ever tried this with a corporated domain?
Even postmaster is rejected on most domains.
report them on rfc-ignorant.org
Ome tim ago we had a problem
Good evening,
Am 2010-03-13 14:46:35, schrieb Benny Pedersen:
report them on rfc-ignorant.org
I know it, but the way you have to report it is to long...
Ome tim ago we had a problem on a bnch of Debian mailinglists with a
persupermarket and after the ISP was not responsive, I have
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote:
We seem to be having a problem where clients that we interact with
regularly are having their hotmail/gmail/yahoo accounts hijacked. We
are receiving e-mails from their accounts that legitimately go through
the correct servers
describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address
header __FORGED_HM1 From ~= /\...@hotmail\.com/i
header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i
meta FORGED_HOTMAIL (__FORGED_HM1 !__FORGED_HM2)
scoreFORGED_HOTMAIL 5.0
and write cookie
On Fri, 12 Mar 2010, Dennis B. Hopp wrote:
describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address
header __FORGED_YH1 From =~ /\...@yahoo\.com/i
header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i
meta FORGED_YAHOO (__FORGED_YH1 !__FORGED_YH2)
The problem with this
The problem with this is that the !__FORGED_YH2 matches
when there is *NO* Reply-To header at all!
You need something like this:
header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i
meta FORGED_YAHOO (__FORGED_YH1 __FORGED_YH2)
(remove the negation from the meta)
On Fri, 2010-03-12 at 12:52 -0600, Dennis B. Hopp wrote:
The problem with this is that the !__FORGED_YH2 matches
when there is *NO* Reply-To header at all!
You need something like this:
header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i
meta FORGED_YAHOO
On Fri, 2010-03-12 at 13:19 -0500, Charles Gregory wrote:
describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address
header __FORGED_YH1 From =~ /\...@yahoo\.com/i
header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i
meta FORGED_YAHOO (__FORGED_YH1 !__FORGED_YH2)
Hello,
Am 2010-03-12 13:38:57, schrieb Benny Pedersen:
On tor 11 mar 2010 19:52:01 CET, Michelle Konzack wrote
I mean, on one of my domains tdwave.net it should be ALWAYS the same
From: and Reply-To:.
i have a plugin that does this, contact me offlist if you like to
have it, its alpha
Hello,
Am 2010-03-12 18:24:14, schrieb ram:
Why only free accounts , The 419'ers hijack legitimate corporate
accounts too. Again , As Ips have good reputation and the mails land in
the inbox
I think the only way of handling this to send proper abuse reports
Probably the free mail
Michelle Konzack wrote:
I mean exactly, IF Reply-To: is set, verify, that it match the sender,
otherwise reject if it does not match From:.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian
David B Funk wrote:
On Wed, 10 Mar 2010, Dennis B. Hopp wrote:
I have put a sample at:
http://pastebin.com/9BDXrxmm
Note I did change the real e-mail address in this message but the
hotmail address used is valid just masked.
Look at that X-Originating-IP: [41.155.87.236] header, its a
On Thu, 2010-03-11 at 12:26 +, Ned Slider wrote:
David B Funk wrote:
On Wed, 10 Mar 2010, Dennis B. Hopp wrote:
I have put a sample at:
http://pastebin.com/9BDXrxmm
Note I did change the real e-mail address in this message but the
hotmail address used is valid just masked.
1) Spammers rotate sender addresses and hijacked account info more
often than most of us change our underwear. An account *may* get
reused; chances are it'll be months before it does, and the spammers
will have rotated through hundreds or thousands of others - both
phish-cracked and
Its not conditional, just using a meta rule and negating the Reply-to
test in the meta:
describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address
header __FORGED_HM1 From ~= /\...@hotmail\.com/i
header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i
meta
On Thu, 2010-03-11 at 07:55 -0600, Dennis B. Hopp wrote:
1) Spammers rotate sender addresses and hijacked account info more
often than most of us change our underwear. An account *may* get
reused; chances are it'll be months before it does, and the spammers
will have rotated through
Dennis B. Hopp wrote:
I don't want to blacklist the address, hence the reason why in my
original e-mail I said other then blacklisting.
Whups, got your original message confused with something you replied
with later.
I know blacklisting
would block these bogus e-mails as well as legit
On Thu, 2010-03-11 at 07:55 -0600, Dennis B. Hopp wrote:
I'm going to look at what Martin suggested and compare it to what
samples I have.
FWIW, I have 2 or three portmanteau rules that are effectively
collections of misspelled words (such as v1agra, improove, ...),
medspamming phrases,
On Thu, 2010-03-11 at 10:22 -0500, Kris Deugau wrote:
Ouch. :( Offhand, I'd say you might as well go ahead and blacklist
them anyway, because if the passwords on these freemail accounts have
been changed, I don't think there's much chance the original users will
get access back. It
A scam of this type needs to be pretty tightly targeted to work. The
scammer would need at least a matched pair of addresses and a good
probability that the supposed sender could be somewhere near the place
where the alleged robbery was said to have happened.
If I've got access to your
On Thu, 2010-03-11 at 11:56 -0600, Dave Pooser wrote:
A scam of this type needs to be pretty tightly targeted to work. The
scammer would need at least a matched pair of addresses and a good
probability that the supposed sender could be somewhere near the place
where the alleged robbery was
I don't think the accounts were hijacked: the headers showed that the
messages the OP posted were not sent from the domain hosting the mail
accounts. It looked to me as if somebody has sold on lists of valid
hotmail etc. accounts.
I smell an inside job, or at least some careful
...and I suppose the same would apply to social networks. I don't use
either, so am somewhat clueless about what goodies are available if you
can access their accounts.
I have some free e-mail accounts that I use as throw away accounts.
When a site just HAS to have a valid e-mail so you can
I've seen an increase of pop3 dictionary attacks. The cracking daemons
usually are running from china.
[]s Fosforo
--
O caminho do homem justo é rodeado por todos os lados pelas
injustiças dos egoístas e pela tirania dos homens de mal. Abençoado é
aquele que, em nome da caridade e da boa-vontade
Hello,
Am 2010-03-10 13:37:20, schrieb Dennis B. Hopp:
We seem to be having a problem where clients that we interact with
regularly are having their hotmail/gmail/yahoo accounts hijacked. We
are receiving e-mails from their accounts that legitimately go through
the correct servers
Hello Martin,
Am 2010-03-10 22:13:59, schrieb Martin Gregorie:
describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address
header __FORGED_HM1 From ~= /\...@hotmail\.com/i
header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i
meta FORGED_HOTMAIL (__FORGED_HM1
We seem to be having a problem where clients that we interact with
regularly are having their hotmail/gmail/yahoo accounts hijacked. We
are receiving e-mails from their accounts that legitimately go through
the correct servers (hotmail,yahoo, etc.) and so they get passed through
our spam filters.
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote:
Obviously we just have to tell the clients that they need to deal with
the various e-mail providers, but is there an effective way that I can
filter these messages out before my users see them without blacklisting
the address?
There's
On Wed, 2010-03-10 at 20:22 +, Martin Gregorie wrote:
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote:
Obviously we just have to tell the clients that they need to deal with
the various e-mail providers, but is there an effective way that I can
filter these messages out
On Wed, 2010-03-10 at 15:08 -0600, Dennis B. Hopp wrote:
I meant blacklisting the sender address, not the MTA.
From what you're describing the senders are all forged by somebody who
bought or stole a list of valid hotmail etc. addresses and the
corresponding addresses in your domain, so
Dennis B. Hopp wrote:
On Wed, 2010-03-10 at 20:22 +, Martin Gregorie wrote:
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote:
Obviously we just have to tell the clients that they need to deal with
the various e-mail providers, but is there an effective way that I can
filter these
On Wed, 10 Mar 2010, Dennis B. Hopp wrote:
We seem to be having a problem where clients that we interact with
regularly are having their hotmail/gmail/yahoo accounts hijacked. We
are receiving e-mails from their accounts that legitimately go through
the correct servers (hotmail,yahoo, etc.)
32 matches
Mail list logo
