> unbound-host -rvD foolinux.mooo.com
foolinux.mooo.com has address 136.25.152.91 (insecure)
foolinux.mooo.com has no IPv6 address (insecure)
foolinux.mooo.com has no mail handler record (insecure)
> Original Message ----
> Subject: Re: Direct download link detection
> Local T
uttons
Sent from ProtonMail webmail.
> ---- Original Message
> Subject: Re: Direct download link detection
> Local Time: July 27, 2017 9:06 PM
> UTC Time: July 27, 2017 7:06 PM
> From: i...@very.loosely.org
> To: users@spamassassin.apache.org
> On 2017-07-27 13:0
On 2017-07-27 13:08, Rupert Gallagher wrote:
> The rfc prescribes (MUST) the use of your public domain in the domain
> part of your mid.
If you mean RFC 5322, this is not true. Section 3.6.4:
The message identifier (msg-id) itself MUST be a globally unique
identifier for a message. The g
The rfc prescribes (MUST) the use of your public domain in the domain part of
your mid. So the dns tests are just the first in the queue. The dimain must
also match early in the Reveived list. If you fail with it, then you have
problems with every rfc-compliant smtp server world-wide. This filte
> Are you able to turn it off?
I tried. No such option. :-(
Sent from ProtonMail Mobile
On Wed, Jul 26, 2017 at 6:05 PM, Matus UHLAR - fantomas
wrote:
> On 26.07.17 02:48, Rupert Gallagher wrote: >+1 to remove that clause from the
> RFC. I don't see any reason... btw you'd need to change it to
Am 2017-07-26 17:22, schrieb Dianne Skoll:
On Wed, 26 Jul 2017 17:15:43 +0200
Michael Storz wrote:
[...]
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
You may get FPs. See for example
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolut
On 2017-07-26 02:48, Rupert Gallagher wrote:
> When a mail arrives without mid, either the sender did not use a real
> SMTP server or tried to hide it. We have a custom SA rule for it. We
> also reject upfront any mid with a syntax error, or whose domain does
> not have a rdns (eg. @localhost.loca
On 26.07.17 02:48, Rupert Gallagher wrote:
+1 to remove that clause from the RFC.
I don't see any reason... btw you'd need to change it to MUST NOT for all
to stop (which is unlikelly to happen).
When a mail arrives without mid, either the sender did not use a real SMTP
server or tried to hid
On Wed, 26 Jul 2017 08:28:52 -0700 (PDT)
John Hardin wrote:
> ...all of which is, sadly, whack-a-mole.
However, there are few to no alternatives to whack-a-mole for this
spam run. The messages are pretty bland.
We've been diligently adding the URLs to our phishing list and we seem
to have caug
On Wed, 26 Jul 2017, Michael Storz wrote:
Am 2017-07-26 15:08, schrieb Dianne Skoll:
On Tue, 25 Jul 2017 08:36:22 -0400
Dianne Skoll wrote:
> All of the URLs match this pattern:
> /\/[A-Z]{4}\d{6}\/$/
We see a new variant with the subject "Your Virgin Media bill is
ready" and URLs
On Wed, 26 Jul 2017 17:15:43 +0200
Michael Storz wrote:
[...]
> /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
You may get FPs. See for example
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105578
I am guessi
Am 2017-07-26 15:08, schrieb Dianne Skoll:
On Tue, 25 Jul 2017 08:36:22 -0400
Dianne Skoll wrote:
All of the URLs match this pattern:
/\/[A-Z]{4}\d{6}\/$/
We see a new variant with the subject "Your Virgin Media bill is ready"
and
URLs that match:
uri__RP_D_00108_03 /\/\d{1
On Tue, 25 Jul 2017 08:36:22 -0400
Dianne Skoll wrote:
> All of the URLs match this pattern:
> /\/[A-Z]{4}\d{6}\/$/
We see a new variant with the subject "Your Virgin Media bill is ready" and
URLs that match:
uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/
Regards,
Dianne.
+1 to remove that clause from the RFC.
When a mail arrives without mid, either the sender did not use a real SMTP
server or tried to hide it. We have a custom SA rule for it. We also reject
upfront any mid with a syntax error, or whose domain does not have a rdns (eg.
@localhost.localdomain or @
On Tue, 25 Jul 2017 10:28:41 -0500 (CDT)
David B Funk wrote:
> If the original message actually had that message-ID form when it
> arrived at the OP's mail MX server, then your assessment makes sense.
>
> However it's entirely possible that message-ID was added by the OP's
> mail server because t
On Tue, 25 Jul 2017, Rupert Gallagher wrote:
Before bothering with body spam, make sure the header is clear. The
specific email should have been rejected upfront, because the foreign
sender's message-id pretends to originate from the recipient's smtp
server.
That's potentially valid. If a MT
On Tue, 25 Jul 2017 13:15:33 +0100
RW wrote:
> https://pastebin.com/p7EnFNf7
We've seen lots of those and collected a few dozen unique URLs for our
URL blacklists. I added a swath of them to the APER project in this
commit:
https://sourceforge.net/p/aper/code/11830/
All of the URLs ma
On Mon, 24 Jul 2017 18:00:33 -0400
Alex wrote:
> This one's probably already on some blacklists, but I'm still
> blocking others:
>
> https://pastebin.com/p7EnFNf7
It seems to be common for this kind virus spam to pass itself off as an
invoice. You might try creating a rule that checks for this
On Mon, 24 Jul 2017 23:00:33 +0100, Alex wrote:
Link to malicious file removed... Generally not a good idea to post direct
links like that.
What would be involved in following these links in SA to determine if
they immediately download a file (other than a web page)?
Testing links in mail
On Mon, Jul 24, 2017, at 15:00, Alex wrote:
> Hi,
>
> We're currently experiencing a new spam campaign that involves some
> text pertaining to invoicing then a link that immediately downloads a
> Word macro file.
>
> http://sdeflores.com/PHJC579907/
>
> What would be involved in following these
On 07/24/2017 05:00 PM, Alex wrote:
Hi,
We're currently experiencing a new spam campaign that involves some
text pertaining to invoicing then a link that immediately downloads a
Word macro file.
http://sdeflores.com/PHJC579907/
What would be involved in following these links in SA to determine
Alex skrev den 2017-07-25 00:00:
https://pastebin.com/p7EnFNf7
its more malware then spam
https://virustotal.com/da/file/b5f30f3f12d8337750943f35a076e3c9690bd18505f7eb31101c98c72f454629/analysis/1500933955/
Hi,
We're currently experiencing a new spam campaign that involves some
text pertaining to invoicing then a link that immediately downloads a
Word macro file.
http://sdeflores.com/PHJC579907/
What would be involved in following these links in SA to determine if
they immediately download a file (
23 matches
Mail list logo
