You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2017/10/17 19:14:22 UTC
MailChimp with link to javascript/zip malware
Hi,
Another email from a whitelisted mailchimp address that contains malware.
https://pastebin.com/ay83iWjC
It's also not tagged when not whitelisted, and I hoped someone had
some ideas on what further can be done to block it.
Complicating things, it's in Italian.
I've reported it to MailChimp and also removed mailchimp (mcdlv.net
and rsgsv.net) from the local whitelist.
Re: MailChimp with link to javascript/zip malware
Posted by "Anne P. Mitchell Esq." <am...@isipp.com>.
Sorry for top-posting, but just to let folks know, our contact has just let me know that he is on this; I'll report back with anything I hear that I can share.
Anne
>
> Hi,
>
>>> Another email from a whitelisted mailchimp address that contains malware.
>>>
>>> https://pastebin.com/ay83iWjC
>>>
>>> It's also not tagged when not whitelisted, and I hoped someone had
>>> some ideas on what further can be done to block it.
>>>
>>> Complicating things, it's in Italian.
>>>
>>> I've reported it to MailChimp and also removed mailchimp (mcdlv.net
>>> and rsgsv.net) from the local whitelist.
>>
>> Alex, may I share this, confidentially and directly, with our abuse czar contact at Mailchimp?
>
> Yes, sure, feel free to send them the pastebin.com link above, or
> contact me directly for more details and I'd be happy to help.
>
>> And if so, can you please give me the spammer's from address?
>
> Yes, it's listed in the pastebin post above as info@scria.org.au.
>
> Thanks, Anne, it's good to have you on this list.
>
> Antony Stone wrote:
>> I'm intrigued as to what the "Esq." in your From address indicates?
>
> In the US, it means she's an attorney.
>
> Thanks,
> Alex
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
Hi,
>> Another email from a whitelisted mailchimp address that contains malware.
>>
>> https://pastebin.com/ay83iWjC
>>
>> It's also not tagged when not whitelisted, and I hoped someone had
>> some ideas on what further can be done to block it.
>>
>> Complicating things, it's in Italian.
>>
>> I've reported it to MailChimp and also removed mailchimp (mcdlv.net
>> and rsgsv.net) from the local whitelist.
>
> Alex, may I share this, confidentially and directly, with our abuse czar contact at Mailchimp?
Yes, sure, feel free to send them the pastebin.com link above, or
contact me directly for more details and I'd be happy to help.
> And if so, can you please give me the spammer's from address?
Yes, it's listed in the pastebin post above as info@scria.org.au.
Thanks, Anne, it's good to have you on this list.
Antony Stone wrote:
> I'm intrigued as to what the "Esq." in your From address indicates?
In the US, it means she's an attorney.
Thanks,
Alex
Re: Off-topic, was: [Re: MailChimp with link to javascript/zip malware]
Posted by G Roach <gr...@yahoo.com>.
Here you go: https://www.google.co.uk/search?q=what+is+esq+after+a+lawyer%27s+name
On 20 October 2017 18:44:15 BST, Antony Stone <An...@spamassassin.open.source.it> wrote:
>On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
>
>> Anne P. Mitchell,
>> Attorney at Law
>
>I'm intrigued as to what the "Esq." in your From address indicates?
>
>Please feel free to reply offlist if appropriate.
>
>Thanks,
>
>
>Antony.
>
>--
>90% of networking problems are routing problems.
>9 of the remaining 10% are routing problems in the other direction.
>The remaining 1% might be something else, but check the routing anyway.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Off-topic, was: [Re: MailChimp with link to javascript/zip malware]
Posted by Groach <gr...@yahoo.com>.
Usually Esquire a title used in American Law.
(I'm sure Google has more details.)
On 20 October 2017 18:44:15 BST, Antony Stone <An...@spamassassin.open.source.it> wrote:
>On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
>
>> Anne P. Mitchell,
>> Attorney at Law
>
>I'm intrigued as to what the "Esq." in your From address indicates?
>
>Please feel free to reply offlist if appropriate.
>
>Thanks,
>
>
>Antony.
>
>--
>90% of networking problems are routing problems.
>9 of the remaining 10% are routing problems in the other direction.
>The remaining 1% might be something else, but check the routing anyway.
Re: Off-topic, was: [Re: MailChimp with link to javascript/zip malware]
Posted by Antony Stone <An...@spamassassin.open.source.it>.
On Friday 20 October 2017 at 19:54:08, Anne P. Mitchell Esq. wrote:
> > On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
> >> Anne P. Mitchell,
> >> Attorney at Law
> >
> > I'm intrigued as to what the "Esq." in your From address indicates?
>
> In the U.S., Esq. (short for 'Esquire') means specifically a person who has
> been admitted to the practice of law and who is permitted to represent
> clients
Aha - thank you for that explanation.
I speak British English, and here the word has a quite different meaning,
specifically relating to men only - hence my confusion when seeing it used by
someone called Anne :)
See the first paragraph of https://en.wikipedia.org/wiki/Esquire
Thanks,
Antony.
--
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."
Please reply to the list;
please *don't* CC me.
Re: Off-topic, was: [Re: MailChimp with link to javascript/zip malware]
Posted by Groach <gr...@yahoo.com>.
Here you go: https://www.google.co.uk/search?q=what+is+esq+after+a+lawyer%27s+name
On 20 October 2017 18:44:15 BST, Antony Stone <An...@spamassassin.open.source.it> wrote:
>On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
>
>> Anne P. Mitchell,
>> Attorney at Law
>
>I'm intrigued as to what the "Esq." in your From address indicates?
>
>Please feel free to reply offlist if appropriate.
>
>Thanks,
>
>
>Antony.
>
>--
>90% of networking problems are routing problems.
>9 of the remaining 10% are routing problems in the other direction.
>The remaining 1% might be something else, but check the routing anyway.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Off-topic, was: [Re: MailChimp with link to javascript/zip malware]
Posted by "Anne P. Mitchell Esq." <am...@isipp.com>.
>
> On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
>
>> Anne P. Mitchell,
>> Attorney at Law
>
> I'm intrigued as to what the "Esq." in your From address indicates?
>
> Please feel free to reply offlist if appropriate.
In the U.S., Esq. (short for 'Esquire') means specifically a person who has been admitted to the practice of law and who is permitted to represent clients (as compared to having completed law school but not being admitted to practice law - in which case the person can/will put "J.D." (for juris doctor) after their name). That said, there are attorneys who are admitted to practice law, and who still use J.D., so you can't really be sure whether someone with J.D. after their name is admitted to practice law or not, while Esq. denotes definitively that the person is allowed to practice and represent clients. :-)
Anne
Anne P. Mitchell,
Attorney at Law
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Elevations Credit Union Member Council
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop
Off-topic, was: [Re: MailChimp with link to javascript/zip malware]
Posted by Antony Stone <An...@spamassassin.open.source.it>.
On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
> Anne P. Mitchell,
> Attorney at Law
I'm intrigued as to what the "Esq." in your From address indicates?
Please feel free to reply offlist if appropriate.
Thanks,
Antony.
--
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.
Re: MailChimp Update (Was Re: MailChimp with link to javascript/zip malware)
Posted by Rupert Gallagher <ru...@protonmail.com>.
They did not respond to the key problems: they still allow their systems to host zipped malware, they allow their clients to upload it, they allow the delivery of mass mail with a link to their hosted malware. These three problems are still in place. Stopping specific clients will not prevent future damage. Finally, the recipients who are now dealing with the MailChimp-hosted ramsomware should class-action against it, and make MailChimp pay through the nose.
Sent from ProtonMail Mobile
On Fri, Oct 20, 2017 at 10:38 PM, Anne P. Mitchell Esq. <am...@isipp.com> wrote:
> MailChimp has said that they believe that they have terminated all accounts that were responsible for this. BUT, they say, this is a group that keeps cropping up (think whack-a-mole), so to please report any more of these that anyone receives. Anne Anne P. Mitchell, Attorney at Law Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Elevations Credit Union Member Council Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
MailChimp Update (Was Re: MailChimp with link to javascript/zip malware)
Posted by "Anne P. Mitchell Esq." <am...@isipp.com>.
MailChimp has said that they believe that they have terminated all accounts that were responsible for this. BUT, they say, this is a group that keeps cropping up (think whack-a-mole), so to please report any more of these that anyone receives.
Anne
Anne P. Mitchell,
Attorney at Law
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Elevations Credit Union Member Council
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop
Re: MailChimp with link to javascript/zip malware
Posted by Rupert Gallagher <ru...@protonmail.com>.
The address "info@scria.org.au" may not be directly responsible for the hack.
You need a forensic report from someone who has access to a recipient's server log.
R
Sent from ProtonMail Mobile
On Fri, Oct 20, 2017 at 7:29 PM, Anne P. Mitchell Esq. <am...@isipp.com> wrote:
>> > Hi, > > Another email from a whitelisted mailchimp address that contains malware. > > https://pastebin.com/ay83iWjC > > It's also not tagged when not whitelisted, and I hoped someone had > some ideas on what further can be done to block it. > > Complicating things, it's in Italian. > > I've reported it to MailChimp and also removed mailchimp (mcdlv.net > and rsgsv.net) from the local whitelist. Alex, may I share this, confidentially and directly, with our abuse czar contact at Mailchimp? And if so, can you please give me the spammer's from address? Anne Anne P. Mitchell, Attorney at Law Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Elevations Credit Union Member Council Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
Re: MailChimp with link to javascript/zip malware
Posted by "Anne P. Mitchell Esq." <am...@isipp.com>.
>
> Hi,
>
> Another email from a whitelisted mailchimp address that contains malware.
>
> https://pastebin.com/ay83iWjC
>
> It's also not tagged when not whitelisted, and I hoped someone had
> some ideas on what further can be done to block it.
>
> Complicating things, it's in Italian.
>
> I've reported it to MailChimp and also removed mailchimp (mcdlv.net
> and rsgsv.net) from the local whitelist.
Alex, may I share this, confidentially and directly, with our abuse czar contact at Mailchimp?
And if so, can you please give me the spammer's from address?
Anne
Anne P. Mitchell,
Attorney at Law
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Elevations Credit Union Member Council
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop
Re: MailChimp with link to javascript/zip malware
Posted by Rupert Gallagher <ru...@protonmail.com>.
We have a server-side filter that drops MC into "/Junk/massmail/", being a folder we train people to ignore, unless they are looking for something specific. We do reject any massmail that links to scripts or zipped stuff. Blacklists and whitelists play no role whatsoever here.
Sent from ProtonMail Mobile
On Tue, Oct 17, 2017 at 9:14 PM, Alex <my...@gmail.com> wrote:
> Hi, Another email from a whitelisted mailchimp address that contains malware. https://pastebin.com/ay83iWjC It's also not tagged when not whitelisted, and I hoped someone had some ideas on what further can be done to block it. Complicating things, it's in Italian. I've reported it to MailChimp and also removed mailchimp (mcdlv.net and rsgsv.net) from the local whitelist.
Re: MailChimp with link to javascript/zip malware
Posted by Rupert Gallagher <ru...@protonmail.com>.
MailChimp allows their clients to send links to MailChimp-hosted zipped malware. This is negligence at best, criminal at worst.
Sent from ProtonMail Mobile
On Thu, Oct 19, 2017 at 10:00 PM, David Jones <dj...@ena.com> wrote:
> On 10/19/2017 02:38 PM, Alex wrote: > Hi, > > On Thu, Oct 19, 2017 at 12:32 PM, Alex wrote: >> Hi, >> >> On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald wrote: >>> Am 19.10.2017 um 16:50 schrieb Alex: >>>> >>>> My bayes is trained such that most marketing emails are bayes99. I've >>>> also now removed mcsv.net from the whitelist and see it resulted in 70 >>>> messages from mcsv.net being caught today, all of which were from >>>> marketing@ or news@ or similar accounts from sites like >>>> news@firma.agency >>> >>> well, your users will be grateful when you use a biased bayes and reject >>> their subscribed newsletters - "bayes is trained such that most marketing >>> emails are bayes99" is idiotic - the only question for traing is SPAM OR NOT >>> SPAM and if you are not 100% sure don#t train a sample at all >> >> And yet, it would have stopped the email in question. It also relies >> on other ham rules to subtract points or trusted senders to be >> whitelisted. I'm also not convinced all of these are opt-in in the >> first place. > > Third day, third set of false-negatives (20 this time) whitelisted > through mailchimp > > https://pastebin.com/6vkxNXxX > > I had removed the mcsv.net but forgot mcdlv.net. It's still not being > tagged properly without the whitelisting. > Are all of the recipients the same for the past 3 sets of junk mail? Are you reporting these to the mailchimp abuse link? I have generally had good results with the major mass marketers like Mailchimp handling their rogue customers and blocking the account. If you report this, then it helps all of us. Blocking things locally only helps your recipients. You can also safely unsubscribe those senders and provide feedback to Mailchimp that you never subscribed to that email. Enough strikes will get that sender blocked by Mailchimp. -- David Jones @thelounge.net> @gmail.com>
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
Hi,
On Thu, Oct 19, 2017 at 4:00 PM, David Jones <dj...@ena.com> wrote:
> On 10/19/2017 02:38 PM, Alex wrote:
>>
>> Hi,
>>
>> On Thu, Oct 19, 2017 at 12:32 PM, Alex <my...@gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald <h....@thelounge.net>
>>> wrote:
>>>>
>>>> Am 19.10.2017 um 16:50 schrieb Alex:
>>>>>
>>>>>
>>>>> My bayes is trained such that most marketing emails are bayes99. I've
>>>>> also now removed mcsv.net from the whitelist and see it resulted in 70
>>>>> messages from mcsv.net being caught today, all of which were from
>>>>> marketing@ or news@ or similar accounts from sites like
>>>>> news@firma.agency
>>>>
>>>>
>>>> well, your users will be grateful when you use a biased bayes and reject
>>>> their subscribed newsletters - "bayes is trained such that most
>>>> marketing
>>>> emails are bayes99" is idiotic - the only question for traing is SPAM OR
>>>> NOT
>>>> SPAM and if you are not 100% sure don#t train a sample at all
>>>
>>>
>>> And yet, it would have stopped the email in question. It also relies
>>> on other ham rules to subtract points or trusted senders to be
>>> whitelisted. I'm also not convinced all of these are opt-in in the
>>> first place.
>>
>>
>> Third day, third set of false-negatives (20 this time) whitelisted
>> through mailchimp
>>
>> https://pastebin.com/6vkxNXxX
>>
>> I had removed the mcsv.net but forgot mcdlv.net. It's still not being
>> tagged properly without the whitelisting.
>>
>
> Are all of the recipients the same for the past 3 sets of junk mail?
>
> Are you reporting these to the mailchimp abuse link? I have generally had
> good results with the major mass marketers like Mailchimp handling their
> rogue customers and blocking the account. If you report this, then it helps
> all of us. Blocking things locally only helps your recipients.
>
> You can also safely unsubscribe those senders and provide feedback to
> Mailchimp that you never subscribed to that email. Enough strikes will get
> that sender blocked by Mailchimp.
Yes, as I wrote in a previous message, I've reported all of these to
mailchimp. Nonetheless, it's not good enough. These are separate users
involved. My users (admins, support people) only see it as receiving
multiple similar spams over three days and wonder why we're unable to
stop them. Whitelisting mailchimp is a bad idea.
And none of this helps to stop these messages that still aren't
currently being blocked by spamassassin proper.
Re: MailChimp with link to javascript/zip malware
Posted by David Jones <dj...@ena.com>.
On 10/19/2017 02:38 PM, Alex wrote:
> Hi,
>
> On Thu, Oct 19, 2017 at 12:32 PM, Alex <my...@gmail.com> wrote:
>> Hi,
>>
>> On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald <h....@thelounge.net> wrote:
>>> Am 19.10.2017 um 16:50 schrieb Alex:
>>>>
>>>> My bayes is trained such that most marketing emails are bayes99. I've
>>>> also now removed mcsv.net from the whitelist and see it resulted in 70
>>>> messages from mcsv.net being caught today, all of which were from
>>>> marketing@ or news@ or similar accounts from sites like
>>>> news@firma.agency
>>>
>>> well, your users will be grateful when you use a biased bayes and reject
>>> their subscribed newsletters - "bayes is trained such that most marketing
>>> emails are bayes99" is idiotic - the only question for traing is SPAM OR NOT
>>> SPAM and if you are not 100% sure don#t train a sample at all
>>
>> And yet, it would have stopped the email in question. It also relies
>> on other ham rules to subtract points or trusted senders to be
>> whitelisted. I'm also not convinced all of these are opt-in in the
>> first place.
>
> Third day, third set of false-negatives (20 this time) whitelisted
> through mailchimp
>
> https://pastebin.com/6vkxNXxX
>
> I had removed the mcsv.net but forgot mcdlv.net. It's still not being
> tagged properly without the whitelisting.
>
Are all of the recipients the same for the past 3 sets of junk mail?
Are you reporting these to the mailchimp abuse link? I have generally
had good results with the major mass marketers like Mailchimp handling
their rogue customers and blocking the account. If you report this,
then it helps all of us. Blocking things locally only helps your
recipients.
You can also safely unsubscribe those senders and provide feedback to
Mailchimp that you never subscribed to that email. Enough strikes will
get that sender blocked by Mailchimp.
--
David Jones
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
>> Why wouldn't you just run the sample I provided through spamassassin
>> again?
>
> 1. I have no way of knowing what your LOCAL configuration is but I'm certain
> that it is substantially unlike any I would put into production use. It
> includes rules not in the standard set, short-circuits at least one rule,
> and appears to have both Bayes and AWL/TxRep disabled.
That is all the result of the whitelisting. Next time I'll submit it
after having passed it through -d.
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
Hi,
On Thu, Oct 19, 2017 at 10:35 PM, Bill Cole
<sa...@billmail.scconsult.com> wrote:
> On 19 Oct 2017, at 21:15 (-0400), Alex wrote:
>
>> Why wouldn't you just run the sample I provided through spamassassin
>> again?
>
>
> 1. I have no way of knowing what your LOCAL configuration is but I'm certain
> that it is substantially unlike any I would put into production use. It
> includes rules not in the standard set, short-circuits at least one rule,
> and appears to have both Bayes and AWL/TxRep disabled.
>
> 2. I don't know if it is justifiable, but the munging of that message makes
> it problematic to run as-is.
>
> I wish you success with working out a solution for detecting this spam.
I wanted to add that sometimes things aren't completely clear in
email, and didn't want to sound ungrateful, so yes, thank you for your
help.
Re: MailChimp with link to javascript/zip malware
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 19 Oct 2017, at 21:15 (-0400), Alex wrote:
> Why wouldn't you just run the sample I provided through spamassassin
> again?
1. I have no way of knowing what your LOCAL configuration is but I'm
certain that it is substantially unlike any I would put into production
use. It includes rules not in the standard set, short-circuits at least
one rule, and appears to have both Bayes and AWL/TxRep disabled.
2. I don't know if it is justifiable, but the munging of that message
makes it problematic to run as-is.
I wish you success with working out a solution for detecting this spam.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole
Re: MailChimp with link to javascript/zip malware
Posted by David Jones <dj...@ena.com>.
On 10/19/2017 08:15 PM, Alex wrote:
> On Thu, Oct 19, 2017 at 6:22 PM, Bill Cole
> <sa...@billmail.scconsult.com> wrote:
>> On 19 Oct 2017, at 17:59 (-0400), Alex wrote:
>>
>>> Hi,
>>>
>>> On Thu, Oct 19, 2017 at 4:04 PM, Bill Cole
>>> <sa...@billmail.scconsult.com> wrote:
>>>>
>>>> On 19 Oct 2017, at 15:38 (-0400), Alex wrote:
>>>>
>>>>> Third day, third set of false-negatives (20 this time) whitelisted
>>>>> through mailchimp
>>>>>
>>>>> https://pastebin.com/6vkxNXxX
>>>>>
>>>>> I had removed the mcsv.net but forgot mcdlv.net. It's still not being
>>>>> tagged properly without the whitelisting.
>>>>
>>>>
>>>>
>>>> That one hit USER_IN_SPF_WHITELIST, so you're still whitelisting it. Did
>>>> you
>>>> restart amavisd after changing the rules?
>>>
>>>
>>> As I mentioned just above the link in this message, yes, the domain
>>> was whitelisted. I've since removed it from the whitelist, but the
>>> email still is not tagged by spamassassin.
>>
>>
>> So, do you have an example of a message that didn't hit
>> USER_IN_SPF_WHITELIST? One you got AFTER removing your whitelisting rule?
>> I ask because the sample message also shows a SHORTCIRCUIT hit, which is
>> probably due to your USER_IN_SPF_WHITELIST rule being short-circuited but
>> maybe due to something else. SHORTCIRCUIT does as it is documented to do: if
>> there are pending DNS queries for evil URLs in a message when a
>> short-circuited rule is hit, their answers are ignored.
>
> Why wouldn't you just run the sample I provided through spamassassin again?
>
> My apologies if it wasn't clear that I've run the message through
> spamassassin after having removed mailchimp from the whitelist and it
> still is not properly tagged as spam. I've reported all of them to
> mailchimp and added some basic body rules that are specific to this
> message, but it seems to me this represents a larger problem.
>
> There were others received that were tagged properly and not
> whitelisted because they involved my specific body rules.
>
If I remove my whitelisting and other rules based on trusting MailChimp,
I get a score of 7.8 mostly because of local rules that don't trust
FREEMAIL senders. If a FREEMAIL sender hits anything like DCC, Razor,
Pyzor, high percentage Bayes, and other bad content rules, I amplify
those rule scores a bit with meta rules.
From my experience, trying to maintain specific body rules for each new
spam campaign is going to be very time consuming and always behind the
spammers.
--
David Jones
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
On Thu, Oct 19, 2017 at 6:22 PM, Bill Cole
<sa...@billmail.scconsult.com> wrote:
> On 19 Oct 2017, at 17:59 (-0400), Alex wrote:
>
>> Hi,
>>
>> On Thu, Oct 19, 2017 at 4:04 PM, Bill Cole
>> <sa...@billmail.scconsult.com> wrote:
>>>
>>> On 19 Oct 2017, at 15:38 (-0400), Alex wrote:
>>>
>>>> Third day, third set of false-negatives (20 this time) whitelisted
>>>> through mailchimp
>>>>
>>>> https://pastebin.com/6vkxNXxX
>>>>
>>>> I had removed the mcsv.net but forgot mcdlv.net. It's still not being
>>>> tagged properly without the whitelisting.
>>>
>>>
>>>
>>> That one hit USER_IN_SPF_WHITELIST, so you're still whitelisting it. Did
>>> you
>>> restart amavisd after changing the rules?
>>
>>
>> As I mentioned just above the link in this message, yes, the domain
>> was whitelisted. I've since removed it from the whitelist, but the
>> email still is not tagged by spamassassin.
>
>
> So, do you have an example of a message that didn't hit
> USER_IN_SPF_WHITELIST? One you got AFTER removing your whitelisting rule?
> I ask because the sample message also shows a SHORTCIRCUIT hit, which is
> probably due to your USER_IN_SPF_WHITELIST rule being short-circuited but
> maybe due to something else. SHORTCIRCUIT does as it is documented to do: if
> there are pending DNS queries for evil URLs in a message when a
> short-circuited rule is hit, their answers are ignored.
Why wouldn't you just run the sample I provided through spamassassin again?
My apologies if it wasn't clear that I've run the message through
spamassassin after having removed mailchimp from the whitelist and it
still is not properly tagged as spam. I've reported all of them to
mailchimp and added some basic body rules that are specific to this
message, but it seems to me this represents a larger problem.
There were others received that were tagged properly and not
whitelisted because they involved my specific body rules.
Re: MailChimp with link to javascript/zip malware
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 19 Oct 2017, at 17:59 (-0400), Alex wrote:
> Hi,
>
> On Thu, Oct 19, 2017 at 4:04 PM, Bill Cole
> <sa...@billmail.scconsult.com> wrote:
>> On 19 Oct 2017, at 15:38 (-0400), Alex wrote:
>>
>>> Third day, third set of false-negatives (20 this time) whitelisted
>>> through mailchimp
>>>
>>> https://pastebin.com/6vkxNXxX
>>>
>>> I had removed the mcsv.net but forgot mcdlv.net. It's still not
>>> being
>>> tagged properly without the whitelisting.
>>
>>
>> That one hit USER_IN_SPF_WHITELIST, so you're still whitelisting it.
>> Did you
>> restart amavisd after changing the rules?
>
> As I mentioned just above the link in this message, yes, the domain
> was whitelisted. I've since removed it from the whitelist, but the
> email still is not tagged by spamassassin.
So, do you have an example of a message that didn't hit
USER_IN_SPF_WHITELIST? One you got AFTER removing your whitelisting
rule?
I ask because the sample message also shows a SHORTCIRCUIT hit, which is
probably due to your USER_IN_SPF_WHITELIST rule being short-circuited
but maybe due to something else. SHORTCIRCUIT does as it is documented
to do: if there are pending DNS queries for evil URLs in a message when
a short-circuited rule is hit, their answers are ignored.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
Hi,
On Thu, Oct 19, 2017 at 4:04 PM, Bill Cole
<sa...@billmail.scconsult.com> wrote:
> On 19 Oct 2017, at 15:38 (-0400), Alex wrote:
>
>> Third day, third set of false-negatives (20 this time) whitelisted
>> through mailchimp
>>
>> https://pastebin.com/6vkxNXxX
>>
>> I had removed the mcsv.net but forgot mcdlv.net. It's still not being
>> tagged properly without the whitelisting.
>
>
> That one hit USER_IN_SPF_WHITELIST, so you're still whitelisting it. Did you
> restart amavisd after changing the rules?
As I mentioned just above the link in this message, yes, the domain
was whitelisted. I've since removed it from the whitelist, but the
email still is not tagged by spamassassin.
Re: MailChimp with link to javascript/zip malware
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 19 Oct 2017, at 15:38 (-0400), Alex wrote:
> Third day, third set of false-negatives (20 this time) whitelisted
> through mailchimp
>
> https://pastebin.com/6vkxNXxX
>
> I had removed the mcsv.net but forgot mcdlv.net. It's still not being
> tagged properly without the whitelisting.
That one hit USER_IN_SPF_WHITELIST, so you're still whitelisting it. Did
you restart amavisd after changing the rules?
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
Hi,
On Thu, Oct 19, 2017 at 12:32 PM, Alex <my...@gmail.com> wrote:
> Hi,
>
> On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald <h....@thelounge.net> wrote:
>> Am 19.10.2017 um 16:50 schrieb Alex:
>>>
>>> My bayes is trained such that most marketing emails are bayes99. I've
>>> also now removed mcsv.net from the whitelist and see it resulted in 70
>>> messages from mcsv.net being caught today, all of which were from
>>> marketing@ or news@ or similar accounts from sites like
>>> news@firma.agency
>>
>> well, your users will be grateful when you use a biased bayes and reject
>> their subscribed newsletters - "bayes is trained such that most marketing
>> emails are bayes99" is idiotic - the only question for traing is SPAM OR NOT
>> SPAM and if you are not 100% sure don#t train a sample at all
>
> And yet, it would have stopped the email in question. It also relies
> on other ham rules to subtract points or trusted senders to be
> whitelisted. I'm also not convinced all of these are opt-in in the
> first place.
Third day, third set of false-negatives (20 this time) whitelisted
through mailchimp
https://pastebin.com/6vkxNXxX
I had removed the mcsv.net but forgot mcdlv.net. It's still not being
tagged properly without the whitelisting.
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
Hi,
On Thu, Oct 19, 2017 at 10:54 AM, Reindl Harald <h....@thelounge.net> wrote:
> Am 19.10.2017 um 16:50 schrieb Alex:
>>
>> My bayes is trained such that most marketing emails are bayes99. I've
>> also now removed mcsv.net from the whitelist and see it resulted in 70
>> messages from mcsv.net being caught today, all of which were from
>> marketing@ or news@ or similar accounts from sites like
>> news@firma.agency
>
> well, your users will be grateful when you use a biased bayes and reject
> their subscribed newsletters - "bayes is trained such that most marketing
> emails are bayes99" is idiotic - the only question for traing is SPAM OR NOT
> SPAM and if you are not 100% sure don#t train a sample at all
And yet, it would have stopped the email in question. It also relies
on other ham rules to subtract points or trusted senders to be
whitelisted. I'm also not convinced all of these are opt-in in the
first place.
Re: MailChimp with link to javascript/zip malware
Posted by Alex <my...@gmail.com>.
Hi,
>> Another email from a whitelisted mailchimp address that contains malware.
>>
>> https://pastebin.com/ay83iWjC
>>
>> It's also not tagged when not whitelisted, and I hoped someone had
>> some ideas on what further can be done to block it.
>>
>> Complicating things, it's in Italian.
>>
>> I've reported it to MailChimp and also removed mailchimp (mcdlv.net
>> and rsgsv.net) from the local whitelist.
>>
>
> How did Mailchimp respond to your abuse report? If they quickly handled it,
> then I see no need to remove them from the local whitelist. They have a
> serious interest to keep their reputation intact so they should handle this
> rogue customer of theirs quickly.
>
> IMHO, there is more benefit from the whitelist entry versus all of the FPs
> you will get with it removed. I wouldn't say this for all senders but there
> are a few major senders like Mailchimp, Sendgrid, Constantcontact, Mailgun,
> etc. that I would leave in since they quickly handle abuse reports.
The problem is that it went to a distribution list of at least 80
people, including senior execs. It remains that this message was spam
and should have been tagged with default SA rules but was not :-(
It certainly represents a significant amount of email. This time
MailChimp said they were investigating. Previously they had said that
it required only the original recipient of the message to file the
report.
My bayes is trained such that most marketing emails are bayes99. I've
also now removed mcsv.net from the whitelist and see it resulted in 70
messages from mcsv.net being caught today, all of which were from
marketing@ or news@ or similar accounts from sites like
news@firma.agency.
I'm also concerned about the SPF record for mcsv.net:
mail89.sea31.mcsv.net. 14742 IN TXT "v=spf1
ip4:148.105.11.89 include:spf.mandrillapp.com ?all"
?all ??? Really?
* 0.5 JMQ_SPF_NEUTRAL_ALL ASKDNS: SPF set to ?all!
* [mail37.sea31.mcsv.net TXT:v=spf1]
[ip4:148.105.11.37 include:spf.mandrillapp.com]
[?all]
It looks like their rsgsv.net server also has an "i dunno, just
accept" SPF entry:
0.5 JMQ_SPF_NEUTRAL_ALL ASKDNS: SPF set to ?all!
[mail40.atl51.rsgsv.net TXT:v=spf1]
[ip4:205.201.135.40 include:spf.mandrillapp.com]
[?all]
How can mailchimp have such a lax SPF record?
Re: MailChimp with link to javascript/zip malware
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 17 Oct 2017, at 15:42, David Jones wrote:
> How did Mailchimp respond to your abuse report? If they quickly
> handled it, then I see no need to remove them from the local
> whitelist. They have a serious interest to keep their reputation
> intact so they should handle this rogue customer of theirs quickly.
>
> IMHO, there is more benefit from the whitelist entry versus all of the
> FPs you will get with it removed. I wouldn't say this for all senders
> but there are a few major senders like Mailchimp, Sendgrid,
> Constantcontact, Mailgun, etc. that I would leave in since they
> quickly handle abuse reports.
That's highly site-specific, even user-specific. I would never whitelist
any of those, since I have direct personal experience with each of them
blatantly (and in some cases even explicitly) NOT acting on clear,
polite, properly-targeted, unredacted spam reports of their customers
hitting "spamtraps" that could not appear legitimately on any mailing
list. One compliance manager in that set (who is happy to no longer be
in that role) told me directly in 2015 that large enough customers were
effectively immune to spam reports because of the way their metrics were
structured. In that particular case the address being hit repeatedly
despite complaints was one that could only have been obtained by
acquiring one of my employer's customers' (or co-workers') address
books.
With that said, I also have never been in an employer or customer
environment where I believed any of those needed to be treated with
greater suspicion than a random unknown sender. None of them would get
mail through to an untagged address on my personal system, but that's an
outlier environment.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole
Re: MailChimp with link to javascript/zip malware
Posted by David Jones <dj...@ena.com>.
On 10/17/2017 02:14 PM, Alex wrote:
> Hi,
>
> Another email from a whitelisted mailchimp address that contains malware.
>
> https://pastebin.com/ay83iWjC
>
> It's also not tagged when not whitelisted, and I hoped someone had
> some ideas on what further can be done to block it.
>
> Complicating things, it's in Italian.
>
> I've reported it to MailChimp and also removed mailchimp (mcdlv.net
> and rsgsv.net) from the local whitelist.
>
How did Mailchimp respond to your abuse report? If they quickly handled
it, then I see no need to remove them from the local whitelist. They
have a serious interest to keep their reputation intact so they should
handle this rogue customer of theirs quickly.
IMHO, there is more benefit from the whitelist entry versus all of the
FPs you will get with it removed. I wouldn't say this for all senders
but there are a few major senders like Mailchimp, Sendgrid,
Constantcontact, Mailgun, etc. that I would leave in since they quickly
handle abuse reports.
--
David Jones