Hi,
Recently I noticed that this rule was getting FPs from mail on a
SourceForge-related mailing list that I thought should have nothing to
do with Yahoo, so I added in another (obfuscated) rule. The combination
now looks like this:
#
# Yahoo message-ID but sender not Yahoo.
#
describe
On Thu, 2013-04-11 at 18:25 -0400, Alex wrote:
Hi,
Recently I noticed that this rule was getting FPs from mail on a
SourceForge-related mailing list that I thought should have
nothing to
do with Yahoo, so I added in another (obfuscated) rule. The
combination
Hi,
Would someone put some samples of Yahoo single link spam on PasteBin.
I am trying to test my rules and I seem to be missing some of the
variations.
Here's an example: it is the message I developed the following rule
against: http://pastebin.com/VRvtDfER
I've obfuscated all e-mail
On 4/10/2013 7:42 PM, Alex wrote:
Hi,
Would someone put some samples of Yahoo single link spam on
PasteBin.
I am trying to test my rules and I seem to be missing some
of the variations.
Here's an example: it is the message I developed the following
rule
Hi,
Would someone put some samples of Yahoo single link spam on PasteBin.
I am trying to test my rules and I seem to be missing some of the
variations.
Here's an example: it is the message I developed the following rule
against: http://pastebin.com/VRvtDfER
I've obfuscated all e-mail
On 4/10/2013 9:00 PM, Alex wrote:
Hi,
Would someone put some samples of Yahoo single link spam on
PasteBin.
I am trying to test my rules and I seem to be missing
some of the variations.
Here's an example: it is the message I developed
Hi,
We need a rule to catch this. It looks like more data than it is but it's
really little more than a single link. Like to see a rule that identifies
it.
---262101065-1882747875-1361559395=:62570
Content-Type: text/plain; charset=us-ascii
On 3/19/2013 4:54 PM, Alex wrote:
I know Kevin posted some rules, but they are no longer effective, as
they rely on fixed subjects or sender names.
My rules are metas where some of the fixed subjects were useful. The
sender names were just internal. However, I find the rules to be very
On 3/10/2013 3:37 PM, Dan Mahoney, System Admin wrote:
Here's the current version I'm using based on 3.4.0 trunk:
#YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE
COMPROMISED ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
header __KAM_YAHOO1From =~
On Fri, 22 Feb 2013, Kevin A. McGrail wrote:
On 2/22/2013 3:27 PM, David F. Skoll wrote:
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel supp...@junkemailfilter.com wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to
Hi,
My latest attempt is this:
header __RP_D_00040_1 From:addr =~ /yahoo/i
header __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
meta RP_D_00040 __RP_D_00040_1 __RP_D_00040_2 __RP_D_00040_3
describe RP_D_00040 Yahoo single-line URL
On Sun, 3 Mar 2013, Alex wrote:
Hi,
My latest attempt is this:
header __RP_D_00040_1 From:addr =~ /yahoo/i
header __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
meta RP_D_00040 __RP_D_00040_1 __RP_D_00040_2 __RP_D_00040_3
describe
Hi,
header __RP_D_00040_1 From:addr =~ /yahoo/i
header __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
meta RP_D_00040 __RP_D_00040_1 __RP_D_00040_2 __RP_D_00040_3
describe RP_D_00040 Yahoo single-line URL spam
I'm seeing variations
Hello David,
Friday, March 1, 2013, 5:33:55 PM, you wrote:
DFS are people still seeing these Yahoo single-link spams?
Got one yesterday
--
Best regards,
Niamhmailto:ni...@fullbore.co.uk
pgpXCZ6plj3t7.pgp
Description: PGP signature
Hello David,
Friday, March 1, 2013, 5:43:37 PM, you wrote:
DFS Can others confirm this pattern?
No.
URL in yesterday's is http://b23144.s3-website-ap-northeast-1.amazonaws.com
--
Best regards,
Niamhmailto:ni...@fullbore.co.uk
pgpdNMFoMBvjX.pgp
Description: PGP
On Thu, 2013-02-28 at 20:34 -0500, Steve Prior wrote:
I'm really starting to suspect that these spammers are scraping your public
posts on Facebook and grabbing the names of people that commented on those
posts, then using a Yahoo account and setting that name on the account before
sending
Would someone put some samples of Yahoo single link spam on PasteBin.
I am trying to test my rules and I seem to be missing some of the variations.
Thanks,
Scott
-Original Message-
From: Marc Perkel [mailto:supp...@junkemailfilter.com]
Sent: Friday, February 22, 2013 12:20 PM
To: users
On Fri, 2013-03-01 at 15:38 +, Scott Ostrander wrote:
Would someone put some samples of Yahoo single link spam on PasteBin.
I am trying to test my rules and I seem to be missing some of the variations.
Here's an example: it is the message I developed the following rule
against: http
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.
Regards,
David.
We don't see them as much as we used to, but they still make an appearance
every once and a while.
~ Anthony
- Original Message -
From: David F. Skoll d...@roaringpenguin.com
To: users@spamassassin.apache.org
Sent: Friday, March 1, 2013 9:33:55 AM
Subject: Re: Yahoo single link spam
I saw 3 yesterday, yes. Scored 6.4 but
I use a high threshold so I can view the fringe spam.
On 3/1/2013 12:33 PM, David F. Skoll wrote:
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as
Hi,
These are the common elements as far as I can see in the text/plain part
of the spam:
1) The URL always matches this regex:
http://\S+/\S+\.\s+\?
In other words, there's always a dot in the URL (not counting the dots
in the domain name itself) and a question mark.
2) The URL is then
On 3/1/2013 12:43 PM, David F. Skoll wrote:
These are the common elements as far as I can see in the text/plain part
of the spam:
1) The URL always matches this regex:
http://\S+/\S+\.\s+\?
In other words, there's always a dot in the URL (not counting the dots
in the domain name itself)
On Fri, 2013-03-01 at 12:33 -0500, David F. Skoll wrote:
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.
I haven't seen one for a few days either, but think its still a useful
rule because it can't cost a lot to run
On 01/03/13 17:33, David F. Skoll wrote:
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.
Regards,
David.
Here's one from this morning:
http://pastebin.com/cuk595z6
that matches the pattern being discussed.
Right: the suggested pattern is working great, but there are some
variants as KAM says.
However I sense that these are not the same bots. The one with the date
in body is always the same (the spammer only changed the date format).
I heard about a cross site botnet exploit on Yahoo! and third
On Fri, 01 Mar 2013 14:39:09 -0500
Alexandre Boyer bigg...@gmail.com wrote:
Pretty the same as what David suggests :-)
My latest attempt is this:
header __RP_D_00040_1 From:addr =~ /yahoo/i
header __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...
I removed the similar rule as your __RP_D_00040 from my systems to
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...
I removed the similar rule
Ned Slider skrev den 2013-03-02 02:11:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7
recipients?
as i read it, it fires if there is more then 4 domains, not only 5
recipients, just a wild guess from me since i am
In an older episode, on 2013-03-02 02:19, Benny Pedersen wrote:
Ned Slider skrev den 2013-03-02 02:11:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
as i read it, it fires if there is more then 4
On Sat, 2 Mar 2013, Ned Slider wrote:
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was
On Sat, 2013-03-02 at 01:11 +, Ned Slider wrote:
That said, I just checked my example, and __MANY_RECIPS failed to fire.
Here's the current rule:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
Is
On 02/03/13 01:40, John Hardin wrote:
On Sat, 2 Mar 2013, Ned Slider wrote:
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5
with
no
In an older episode, on 2013-03-02 02:40, John Hardin wrote:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
(@, followed by 5-30 non-@ characters) repeated three times.
Does that mean the same sequence
On Sat, 2 Mar 2013, Wolfgang Zeikat wrote:
In an older episode, on 2013-03-02 02:40, John Hardin wrote:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
(@, followed by 5-30 non-@ characters)
On Sat, 2 Mar 2013, Ned Slider wrote:
On 02/03/13 01:40, John Hardin wrote:
On Sat, 2 Mar 2013, Ned Slider wrote:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
If the username + domain name +
On 2/23/2013 10:56 AM, Kevin A. McGrail wrote:
I am 100% certain that it is compromised accounts on yahoo where they steal the
address books. They then seem to cross correlate and use common last names to
mail people using other compromised yahoo accounts. Though I need to check if
they have
Hello,
I've discovered something... all of our samples of the Yahoo spam contain
a text/plain part that contains something like this:
http://www.majormedicaladvice.com/gfrqcov/ktr.2dd0ifqv?kj82bw2/25/2013 2:58:33
PMKaryn Armstrong
That is, the target URL is immediately followed by the date, a
Marc Perkel skrev den 2013-02-22 21:20:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com
is
David F. Skoll skrev den 2013-02-22 21:27:
HeaderMatches RegExp ^To:(.*?@.*?){5} AND
Envelope Sender Ends with@yahoo.com AND
MessageSize 6000
Well, ok... the MessageSize condition is tricky. And this rule does
kick up some
On 02/24/2013 06:29 PM, Benny Pedersen wrote:
Marc Perkel skrev den 2013-02-22 21:20:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
http://www.mywot.com/en/scorecard/fox-enws.com/
Kevin A. McGrail skrev den 2013-02-22 21:56:
describeKAM_YAHOO Compromised Yahoo! Accounts Sending
Spam
inccorect, if thay are dkim signed its yahoo, if not its a silly
spammer
blacklist_from (all-yahoo-domains)
def_whitelist_from all-yahoo-domains)
would be more simple
the
Axb skrev den 2013-02-24 18:35:
http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com
is there a possible to implement it ?
imho surbl using it, but it would be nice to have it live tested
What you're seeing is other way round - mywot uses SURBL
If
On 02/24/2013 06:48 PM, Benny Pedersen wrote:
Axb skrev den 2013-02-24 18:35:
http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com
is there a possible to implement it ?
imho surbl using it, but it would be nice to have it live tested
What you're
Axb skrev den 2013-02-24 19:02:
I obviosuly didn't understand you , nor do I understand you now
doesn't matter...
now you understand why you are developper and i am not ? :=)))
i rember some that sayed it :(
On 2/23/2013 10:56 AM, Kevin A. McGrail wrote:
Though I need to check if they have started forging as well through
other servers.
Just following up on this and checking the Yahoo! spam that I've been
researching, all of it is sent by Yahoo! accounts through Yahoo! with
real DKIM signatures.
On Sun, 24 Feb 2013 18:35:04 +0100
Benny Pedersen m...@junc.eu wrote:
David could you make this as a clamav logical signature ?, and test
it ?
I don't know how to do that... sorry.
Regards,
David.
On Fri, 2013-02-22 at 12:20 -0800, Marc Perkel wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
---262101065-1882747875-1361559395=:62570
Content-Type: text/plain;
I am 100% certain that it is compromised accounts on yahoo where they steal the
address books. They then seem to cross correlate and use common last names to
mail people using other compromised yahoo accounts. Though I need to check if
they have started forging as well through other servers.
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
---262101065-1882747875-1361559395=:62570
Content-Type: text/plain; charset=us-ascii
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel supp...@junkemailfilter.com wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
Our product lets you make compound rules. It should not
On 2/22/2013 3:27 PM, David F. Skoll wrote:
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel supp...@junkemailfilter.com wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
Our product
On Fri, Feb 22, 2013 at 03:27:27PM -0500, David F. Skoll wrote:
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel supp...@junkemailfilter.com wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
On Fri, 22 Feb 2013 15:56:38 -0500
Kevin A. McGrail kmcgr...@pccc.com wrote:
Here's the current version I'm using based on 3.4.0 trunk:
We're seeing many different variations. For example, we see over
70 variations in the name (not just Connor Hopkins).
Regards,
David.
On 2/22/2013 4:01 PM, David F. Skoll wrote:
On Fri, 22 Feb 2013 15:56:38 -0500
Kevin A. McGrail kmcgr...@pccc.com wrote:
Here's the current version I'm using based on 3.4.0 trunk:
We're seeing many different variations. For example, we see over
70 variations in the name (not just Connor
Here's the current version I'm using based on 3.4.0 trunk:
We're seeing many different variations. For example, we see over
70 variations in the name (not just Connor Hopkins).
Agreed. That's more of an internal meta because we had one person really
getting hammered. YMMV.
I've been
57 matches
Mail list logo
