- Original Message -
From: Raymond Dijkxhoorn [EMAIL PROTECTED]
To: wolfgang [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Sent: Sunday, May 15, 2005 9:31 PM
Subject: Re: Bombarded by German political spam
Hi!
it uses a score of 8 and /i - anyway, it might save you some
On Sat, 2005-05-21 at 14:09, List wrote:
- Original Message -
From: Raymond Dijkxhoorn [EMAIL PROTECTED]
To: wolfgang [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Sent: Sunday, May 15, 2005 9:31 PM
Subject: Re: Bombarded by German political spam
Hi!
it uses a score
Do i copy and paste the contents of german.cf into my local.cf or just
download the german.cf into /etc/mail/spamassassin ?
Either one. SA will load all files ending in *.cf in alphabetical order by
file name.
Simplest to just drop the new file into the directory.
Remember to restart spamd,
Jeff Chan wrote:
IIRC Sober P advertised free World Cup tickets or something like
that. That would tend to get people to open the virus spams in
Europe, but probably wouldn't mean sh!t here in the U.S. where
probably fewer than 1 in 10 people has any idea what a World
Cup is. Superbowl they've
From: Bill Maidment [EMAIL PROTECTED]
Jeff Chan wrote:
IIRC Sober P advertised free World Cup tickets or something like
that. That would tend to get people to open the virus spams in
Europe, but probably wouldn't mean sh!t here in the U.S. where
probably fewer than 1 in 10 people has
-Original Message-
From: Jeff Chan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 6:17 AM
To: users@spamassassin.apache.org
Subject: Re: Bombarded by German political spam
On Tuesday, May 17, 2005, 3:42:09 PM, David Funk wrote:
So the intensity of the spam bombing
Jeff Chan wrote:
On Tuesday, May 17, 2005, 3:42:09 PM, David Funk wrote:
So the intensity of the spam bombing is inversely proportional to
the local computer community 'clue level'. This tends to indicate
that there are more clue-less American windows llusers than there
are German. No surprise
From: Rick Cooper [EMAIL PROTECTED]
-Original Message-
From: Jeff Chan [mailto:[EMAIL PROTECTED]
On Tuesday, May 17, 2005, 3:42:09 PM, David Funk wrote:
So the intensity of the spam bombing is inversely proportional to
the local computer community 'clue level'. This tends to
-Original Message-
From: wolfgang [mailto:[EMAIL PROTECTED]
Sent: Sunday, May 15, 2005 7:04 PM
To: users@spamassassin.apache.org
Cc: users@spamassassin.apache.org
Subject: Re: Bombarded by German political spam
In an older episode (Monday 16 May 2005 00:17), List Mail User
On Monday, 16-May-2005 09:53, Elizabeth Schwartz wrote:
Does anyone have any good generic german spam filter rulesets? We
have some legitimate German users, so I don't want to start
blacklisting, and I worry that filtering one specific header at a
time is a lost cause...
This link showed up
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
On Mon, May 16, 2005 at 02:05:09PM -0400, Elizabeth Schwartz wrote:
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
- the often seen Lese selbst is scored 4
Just curious, what's that mean to the spammers? google translates it
as vintage
It means read by yourself.
--
...
...
whitelist at surbl dot org
Jeff, thanks for the submission address, i'll send a Bcc there and also post
the list below to uribl's submission form.
frankly, i find it too much effort to check if they are blacklisted, so i will
just list some more german domains that i consider worth
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
- the often seen Lese selbst is scored 4
Just curious, what's that mean to the spammers? google translates it
as vintage
Never trust automatic translators it is rather read yourself
Wolfgang Hamann
From: Elizabeth Schwartz
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
Do you see the following problems with this Ruleset? If I move the
99_sober.cf, it lint runs w/o error.
debug: URIDNSBL: domains to query:
debug: Running tests for priority: 0
debug: running header
wolfgang wrote:
there is one online that is based on the typical message-ids
used by that current virus based spam wave and on a few
additonal indicators from those mails. i find it a bit risky -
anyway, here is the URL:
http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
regards,
On Tue, May 17, 2005 at 09:37:26AM -0500, Kayne Kruse wrote:
From: Elizabeth Schwartz
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
Do you see the following problems with this Ruleset? If I move the
99_sober.cf, it lint runs w/o error.
I linted it right now. Can't
Tim B wrote:
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming from
trojaned PCs. Other than the specific URLs in the messages havn't
found any easily identified parts to create rules for.
Does anyone know the logic behind this spam bombing? I have a friend
who has a gmx.de account and he has gotten 0 german spam in it... yet
here in the u.s. we are getting bombarded by the spam.
Anton Krall wrote:
Any SA rules out there that can catch the german spam mails?
I am only needing to filter on the subjects I quoted because Mailman
has no other option and the mailing list is not using spamassassin.
Simply filtering on the subject is not a great method. But since I am
stuck
Matias Lopez Bergero wrote:
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules
Did this suddendly stop today for anyone else and now your just dealing
with the NDR's?
Actually it suddenly *started* for me today. Before that only one stupid
zombie somplace thought I was in Germany. Now they all seem to.
And the faked sender names all start with the letter J.
Does anyone know the logic behind this spam bombing? I have a friend
who has a gmx.de account and he has gotten 0 german spam in it... yet
here in the u.s. we are getting bombarded by the spam.
There is logic behind spamming ? News to me ;-)
Personally I think it's incredibly arrogant of
Any SA rules out there that can catch the german spam mails?
|-Original Message-
|From: Bob Proulx [mailto:[EMAIL PROTECTED]
|Sent: Lunes, 16 de Mayo de 2005 12:00 a.m.
|To: users@spamassassin.apache.org
|Subject: Re: Bombarded by German political spam
|
|Raymond Dijkxhoorn wrote
:[EMAIL PROTECTED]
Sent: 16 May 2005 09:40
To: users@spamassassin.apache.org
Subject: RE: Bombarded by German political spam
Any SA rules out there that can catch the german spam mails?
|-Original Message-
|From: Bob Proulx [mailto:[EMAIL PROTECTED]
|Sent: Lunes, 16 de Mayo de
was found.
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: Anton Krall [mailto:[EMAIL PROTECTED]
Sent: 16 May 2005 09:40
To: users@spamassassin.apache.org
Subject: RE: Bombarded by German political spam
Any SA rules
Subject: RE: Bombarded by German political spam
Any SA rules out there that can catch the german spam mails?
|-Original Message-
|From: Bob Proulx [mailto:[EMAIL PROTECTED]
|Sent: Lunes, 16 de Mayo de 2005 12:00 a.m.
|To: users@spamassassin.apache.org
|Subject: Re: Bombarded by German
On Sunday 15 May 2005 17:51, List Mail User wrote:
...
wolfgang wrote:
[...]
I noticed that the WS URIBL does by now recognize various of the
URIs in those mails, and a rule like
# whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
urirhssub URIBL_RFCI_WHOIS
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
On Sun, May 15, 2005 at 10:59:40PM -0600, Bob Proulx wrote:
The list I have collected is slightly different than yours.
snips
Subject: Ihre Anfrage an Amazon.de
Your question to amazon.de - are you sure that's a spam subject ?
Nick
On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
Hi!
http://mailscanner.prolocation.net/german.cf
You've got a bit of duplication in there (rules 02 and 22 are the
same, as are 04 and 26).
I'll clean them, thanks! v0.2 there in a few :)
Does anyone have any good generic german spam filter rulesets? We have
some legitimate German users, so I don't want to start blacklisting,
and I worry that filtering one specific header at a time is a lost
cause...
thanks Betsy
-Original Message-
From: wolfgang [mailto:[EMAIL PROTECTED]
Sent: Sunday, May 15, 2005 7:04 PM
To: users@spamassassin.apache.org
Cc: users@spamassassin.apache.org
Subject: Re: Bombarded by German political spam
In an older episode (Monday 16 May 2005 00:17), List Mail User wrote
In an older episode (Monday 16 May 2005 03:23), Jeff Chan wrote:
i started listing such publishers today:
uridnsbl_skip_domain*.berlinonline.de
uridnsbl_skip_domainberlinonline.de
uridnsbl_skip_domain*.heise.de
uridnsbl_skip_domainheise.de
uridnsbl_skip_domain
[EMAIL PROTECTED]
To: Raymond Dijkxhoorn [EMAIL PROTECTED]
Cc: Bart Schaefer [EMAIL PROTECTED];
users@spamassassin.apache.org
Sent: Monday, May 16, 2005 4:11 PM
Subject: Re: Bombarded by German political spam
On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
Hi!
http
Thx!
|-Original Message-
|From: Randal, Phil [mailto:[EMAIL PROTECTED]
|Sent: Lunes, 16 de Mayo de 2005 03:56 a.m.
|To: Anton Krall; users@spamassassin.apache.org
|Subject: RE: Bombarded by German political spam
|
|Yes, see here:
|
|http://weir.dattitu.de/archives/9-Filtering-Sober
In an older episode (Monday 16 May 2005 16:53), Elizabeth Schwartz wrote:
Does anyone have any good generic german spam filter rulesets?
We have
some legitimate German users, so I don't want to start blacklisting,
and I worry that filtering one specific header at a time is a lost
cause...
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
- the often seen Lese selbst is scored 4
Just curious, what's that mean to the spammers? google translates it
as vintage
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
-Original Message-
From: Elizabeth Schwartz [mailto:[EMAIL PROTECTED]
Sent: Monday, May 16, 2005 10:54 AM
To: users@spamassassin.apache.org
Subject: Re: Bombarded by German political spam
Does anyone have any good generic german spam filter rulesets? We have
some legitimate German users, so I don't
On Sun, 15 May 2005, David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
Many thanks for this rule (99_sober.cf)
It rocks :-)
Thanks again
Eddy
- Original Message -
Subject: Re: Bombarded by German political spam
On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
Hi!
http://mailscanner.prolocation.net/german.cf
You've got a bit
Hi!
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
Actually it was
Anyone has a full list of subjects yet, time to do some SA magic... ;)
I only have one, and you might be better off looking for the urls than the
subject:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Lese selbst:
http://www.npd.de/npd_info/deutschland/2005/d0405-13.html
Neue
Anyone has a full list of subjects yet, time to do some SA magic... ;)
I only have one, and you might be better off looking for the urls than the
subject:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Lese selbst:
http://www.npd.de/npd_info/deutschland/2005/d0405-13.html
I only have one, and you might be better off looking for the urls than the
subject:
Ok, now I have two. Both from the same machine as it happens, although this
time it claims it is an AOL mail server. Last time it was somethiing else.
Yea, right.
Subject: Paranoider Deutschenmoerder kommt in
In an older episode (Sunday 15 May 2005 10:47), Raymond Dijkxhoorn wrote:
Anyone has a full list of subjects yet, time to do some SA magic... ;)
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner
In an older episode (Sunday 15 May 2005 11:55), wolfgang wrote:
oops, this one:
Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
is not part of them ;)
regards,
wolfgang
M-Original Message-
MFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
MSent: 15 May 2005 10:46
MTo: users@spamassassin.apache.org
MCc: Loren Wilton
MSubject: Re: Bombarded by German political spam
M
Mnpd.de is Nazi political party
M
M
M Kanzler erleichtert Visaverfahren für Golfstaaten
On 5/15/05, David B Funk [EMAIL PROTECTED] wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create
Hi!
Anyone has a full list of subjects yet, time to do some SA magic... ;)
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject:
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
Hi!
Anyone has a full list of subjects yet, time to do some SA magic... ;)
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch
Hi!
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
cut
This is the complete list so far:
Subject: 4,8 Mill. Osteuropaeer durch
wolfgang wrote:
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
Hi!
Anyone has a full list of subjects yet, time to do some SA magic... ;)
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife
Raymond Dijkxhoorn wrote:
[...]
This is the complete list so far:
[...]
Subject: Multi-Kulturell = Multi-Kriminell
--
CU,
Patrick.
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
Hi!
Anyone has a full list of subjects yet, time to do some SA magic... ;)
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch
Hi!
Subject: Vorbildliche Aktion
Subject: 60 Jahre Befreiung: Wer feiert mit?
anyone care to make a small ruleset to score them up?
someone posted one at
http://www.file-upload.net/15.05.05/5_x4st.cf
it uses a score of 8 and /i - anyway, it might save you some effort ;)
Just finished my ruleset
Hi!
it uses a score of 8 and /i - anyway, it might save you some effort ;)
Just finished my ruleset also... grin. the one there has 27 so its missing 5.
I also dont uinderstand why it used the meta tags in that one... Its
combining nothing in fact... strange.
I put my one online also:
On 5/15/05, Raymond Dijkxhoorn [EMAIL PROTECTED] wrote:
http://mailscanner.prolocation.net/german.cf
You've got a bit of duplication in there (rules 02 and 22 are the
same, as are 04 and 26).
Hi!
http://mailscanner.prolocation.net/german.cf
You've got a bit of duplication in there (rules 02 and 22 are the
same, as are 04 and 26).
I'll clean them, thanks! v0.2 there in a few :)
Bye,
Raymond.
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
I received about 500 on the webmaster account.
Now we know what sober was all about.
I see *no* connection to any Virus or Trojan!
I got about 200 of them into a few accounts and
seemingly I'm receiving more every few minutes.
On 5/15/2005 6:19 PM +0200, Chr. von Stuckrad wrote:
Now we know what sober was all about.
I see *no* connection to any Virus or Trojan!
Oh, there is a connection. Just like last years sober.g and a German
extermist spamrun.
This spamrun was caused by sober.q which was downloaded by sober.p
Niek
I think the connection is that the infected machines are sending out this political spam and not that they are sending the actual virus.
Adam "Chr. von Stuckrad" [EMAIL PROTECTED] 05/15/2005 12:19:39
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote: I received about 500 on the
On 5/15/2005 6:19 PM +0200, Chr. von Stuckrad wrote:
Now we know what sober was all about.
I see *no* connection to any Virus or Trojan!
Also see:
http://isc.sans.org/
http://www.viruslist.com/en/weblog
Niek
On Sun, 15 May 2005 18:19:39 +0200 Chr. von Stuckrad wrote:
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
I received about 500 on the webmaster account.
Now we know what sober was all about.
I see *no* connection to any Virus or Trojan!
[SNIP...]
No attachments seem
...
wolfgang wrote:
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
Hi!
Anyone has a full list of subjects yet, time to do some SA magic... ;)
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf
In an older episode (Sunday 15 May 2005 18:51), List Mail User wrote:
# whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5
body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS')
describe
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
Gerald V. Livingston II wrote:
On Sun, 15 May 2005 18:19:39 +0200 Chr. von Stuckrad wrote:
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
I received about 500 on the webmaster account.
Now we know what sober was all about.
I see *no* connection to any Virus or Trojan!
[SNIP...]
...
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
In an older episode (Monday 16 May 2005 00:17), List Mail User wrote:
JeffC of SURBL and ChrisS of URIBL) would be extremely grateful if you could
prepare a preliminary whitelist for them, just to avoid the exact case you
have mentioned - Legitimate news sources/agencies/publishers getting
Wolfgang,
On a related note; Having just seen the first such email at my site
(it wasn't delivered), I'm assuming the the npd. de is the actual political
party itself? If so, their paper work is squeaky clean, even the name servers'
domains are clean; The best I could do was
On Sunday, May 15, 2005, 4:04:09 PM, wolfgang wolfgang wrote:
In an older episode (Monday 16 May 2005 00:17), List Mail User wrote:
JeffC of SURBL and ChrisS of URIBL) would be extremely grateful if you could
prepare a preliminary whitelist for them, just to avoid the exact case you
have
Chr. von Stuckrad wrote:
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
I received about 500 on the webmaster account.
Now we know what sober was all about.
I see *no* connection to any Virus or Trojan!
I got about 200 of them into a few accounts and
seemingly I'm receiving more
Raymond Dijkxhoorn wrote:
This is the complete list so far:
I am helping to manage a mailing list with mailman and the interface
there is pretty restrictive and there is no spam filtering such as SA
under it so no SURBL either. Slightly off topic for the SA list. But
I found in the interface
anybody else seeing this?
I got one of them, and fortunately only one. Bayes did a good job of
catching it.
Loren
77 matches
Mail list logo