You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David <wi...@spam.lublink.net> on 2011/04/04 17:36:26 UTC
Hijacked email accounts
Hello,
I have noticed that recently almost all spam that makes it pass my spam
filters come from hijacked email accounts. Usually on services like
hotmail and yahoo ( sometimes from .com sometimes from country specific
domains ).
I wonder if perhaps a rule in spamassassin should add between 0.5 and
1.5 to the spam rating when it comes from a free webmail service like
hotmail and yahoo.
David
Re: Hijacked email accounts
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello darxus@chaosreigns.com,
Am 2011-04-04 12:41:24, hacktest Du folgendes herunter:
> On 04/04, Benny Pedersen wrote:
> > freemail_domain hotmail.com
> > freemail_whitelist abuse@hotmail.com
> > freemail_whitelist postmaster@hotmail.com
>
> SpamAssassin already has 2,133 domains listed via freemail_domain, so you
> shouldn't need to add that part for any domain. If you do, you should file
> a bug to get it added.
>
> The rule that goes with this is FREEMAIL_FROM, which has a default score of
> 0.001 (basically nothing), because it hits 21.6% of non-spam (11.4%
> of spam).
I have tried this plugin but it seems not to work... More then 90% of
the messages are groing trough... and I do not know a singel sender!
They are 100% spams and not a singel False-Positive.
So, I reject them on SMTP-Level
> It looks like the way to just penalize a single domain would be:
> blacklist_from *@yahoo.com
> score USER_IN_BLACKLIST 1
Save resources and reject on SMTP-Level from your MTA.
> By default it has a score of 100, which would usually block everything.
>
> I was actually doing something with a similar effect, to hotmail for a
> while. I recently noticed yahoo is much worse, I think this graph deserves
> its own post: http://www.chaosreigns.com/dnswl/dnswlabusehistory.svg
:-/
> > The emails to which I refer where sent by email accounts stolen by
> > viruses on computers running Windows.
> I had always assumed the spammers just registered the accounts directly.
> Why do you think they were stolen, by viruses or otherwise?
I do not think, peoples create E-Mails with stupid names no one can
remember... Most of those name are auto-generated and mostly numbered.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: Hijacked email accounts
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2011/04/04 12:12 PM, Daniel McDonald wrote:
> Now if I could just find a list of url shorteners that included j.mp ...
DecodeShortURLs plugin from Steve Freegard
http://www.fsl.com/support/DecodeShortURLs.pm
http://www.fsl.com/support/DecodeShortURLs.cf
--
/Jason
Re: Hijacked email accounts
Posted by Daniel McDonald <da...@austinenergy.com>.
On 4/4/11 11:03 AM, "David" <wi...@spam.lublink.net> wrote:
> Hello,
>
> Yahoo doesn't do SPF, and hotmail is still ~all.
>
> The emails to which I refer where sent by email accounts stolen by
> viruses on computers running Windows.
>
> The virus steals the password, and sends it to the spammer who than uses
> the account to send out spam.
>
> So the emails are coming from Hotmail and Yahoo's servers.
I've noticed most of the compromised accounts are exploited from
"elsewhere". I'm sorry if this rule is US centric, but it appears to work,
somewhat, for me:
header RELAY_NOT_US X-Relay-Countries =~
/\b[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}\b/
describe RELAY_NOT_US Relayed though any country other than the US
score RELAY_NOT_US 0.01
meta AE_FOREIGN_FREE FREEMAIL_FROM && RELAY_NOT_US
describe AE_FOREIGN_FREE Freemail that originated somewhere other than
the US
score AE_FOREIGN_FREE 0.5
I also find this to be pretty useful in cleaning out the hacked mail...
meta AE_SHORT_FREE FREEMAIL_FROM && (URIBL_DBL_SHORT ||
URIBL_SU_JMF)
describe AE_SHORT_FREE has shortened URL from a freemail account
score AE_SHORT_FREE 2.0
Now if I could just find a list of url shorteners that included j.mp ...
>
> David
>
> On 2011-04-04 11:49, Benny Pedersen wrote:
>>> I wonder if perhaps a rule in spamassassin should add between 0.5 and
>>> 1.5 to the spam rating when it comes from a free webmail service like
>>> hotmail and yahoo.
>> there is already freemail plugin
>>
>> freemail_domain hotmail.com
>> freemail_whitelist abuse@hotmail.com
>> freemail_whitelist postmaster@hotmail.com
>>
>> if you know somebody that really NOT sending spam from a freemail domain,
>> then add more freemail_whitelist
>>
>> hotmail.com is already listed as freemail, but i just showed how to use it
>>
>> i have seen this problem before, but i belive that its not hijacked more
>> that hotmail not consider forged senders in there own networking, resulting
>> in that recipient see it as spf pass, i verifyed that sender did not send
>> this so called hijacked email
>
Re: Hijacked email accounts
Posted by David <wi...@spam.lublink.net>.
Hello,
Yahoo doesn't do SPF, and hotmail is still ~all.
The emails to which I refer where sent by email accounts stolen by
viruses on computers running Windows.
The virus steals the password, and sends it to the spammer who than uses
the account to send out spam.
So the emails are coming from Hotmail and Yahoo's servers.
David
On 2011-04-04 11:49, Benny Pedersen wrote:
>> I wonder if perhaps a rule in spamassassin should add between 0.5 and
>> 1.5 to the spam rating when it comes from a free webmail service like
>> hotmail and yahoo.
> there is already freemail plugin
>
> freemail_domain hotmail.com
> freemail_whitelist abuse@hotmail.com
> freemail_whitelist postmaster@hotmail.com
>
> if you know somebody that really NOT sending spam from a freemail domain,
> then add more freemail_whitelist
>
> hotmail.com is already listed as freemail, but i just showed how to use it
>
> i have seen this problem before, but i belive that its not hijacked more
> that hotmail not consider forged senders in there own networking, resulting
> in that recipient see it as spf pass, i verifyed that sender did not send
> this so called hijacked email
Re: Hijacked email accounts
Posted by Benny Pedersen <me...@junc.org>.
> I wonder if perhaps a rule in spamassassin should add between 0.5 and
> 1.5 to the spam rating when it comes from a free webmail service like
> hotmail and yahoo.
there is already freemail plugin
freemail_domain hotmail.com
freemail_whitelist abuse@hotmail.com
freemail_whitelist postmaster@hotmail.com
if you know somebody that really NOT sending spam from a freemail domain,
then add more freemail_whitelist
hotmail.com is already listed as freemail, but i just showed how to use it
i have seen this problem before, but i belive that its not hijacked more
that hotmail not consider forged senders in there own networking, resulting
in that recipient see it as spf pass, i verifyed that sender did not send
this so called hijacked email
Re: Hijacked email accounts
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Jonas,
Am 2011-04-04 17:42:34, hacktest Du folgendes herunter:
> I am seeing the same thing with my systems. Most spam that makes it
> past the filters are from hacked accounts.
>
> I'm not really sure if punishing all the innocent freemail users is
> the answer?
> It should be relatively easy to do if you want to though.
Since I have no friends with Hotmail, MSN, Live and Yahoo accounts I
block them on SMTP level with
----[ '/etc/courier/bofh' ]---------
badfrom @invalid.domain
badfrom @example.com
badfrom @example.net
badfrom @example.org
badfrom @test
badfrom @cms-informer.com
badfrom @exemys.com
badfrom @fanbox.com
badfrom @flirtcafe.de
badfrom @gtsc.ae
badfrom @hotmail.co.kr
badfrom @hotmail.com
badfrom @hotmail.cn
badfrom @hotmail.de
badfrom @hotmail.fr
badfrom @idgconnect-direct.com
badfrom @idgconnect-resources.com
badfrom @indosatm2.com
badfrom @indosat.net.id
badfrom @info.com
badfrom @info.gamanetwork.com
badfrom @live.co.kr
badfrom @live.cn
badfrom @live.com
badfrom @live.de
badfrom @live.es
badfrom @live.fr
badfrom @mail.ua
badfrom @msn.com
badfrom @mx.mail.ua
badfrom @myfanbox.com
badfrom @mynet.com
badfrom @newsletter.cyo.fr
badfrom @offersadwind.info
badfrom @online.idgconnectglobal.com
badfrom @service.fr
badfrom @shtyle.fm
badfrom @skoost.com
badfrom @service.com
badfrom @service.fr
badfrom @support.fr
badfrom @vsatplus.com
badfrom @www.eyari.com
badfrom @webmail.fr
badfrom @yahoo.com
badfrom @yahoo.fr
badfrom postmaster@mms.metropcs.net
badfrom administrator@willspc.net
badfrom jonathan.dabonot@hotmail.fr
------------------------------------
This config reject per day more then 8000 senders...
Note: It does NOT block mesages from those domains send over lists.
> Med venlig hilsen / Best regards
> Jonas Akrouh Larsen
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
RE: Hijacked email accounts
Posted by Jonas <jo...@vrt.dk>.
Hi David
> -----Original Message-----
> From: David [mailto:wiki.apache.org@spam.lublink.net]
> Sent: 4. april 2011 17:36
> To: users@spamassassin.apache.org
> Subject: Hijacked email accounts
>
> Hello,
>
> I have noticed that recently almost all spam that makes it pass my spam filters
> come from hijacked email accounts. Usually on services like hotmail and yahoo
> ( sometimes from .com sometimes from country specific domains ).
>
> I wonder if perhaps a rule in spamassassin should add between 0.5 and
> 1.5 to the spam rating when it comes from a free webmail service like hotmail
> and yahoo.
>
I am seeing the same thing with my systems. Most spam that makes it past the filters are from hacked accounts.
I'm not really sure if punishing all the innocent freemail users is the answer?
It should be relatively easy to do if you want to though.
Med venlig hilsen / Best regards
Jonas Akrouh Larsen
TechBiz ApS
Laplandsgade 4, 2. sal
2300 København S
Office: 7020 0979
Direct: 3336 9974
Mobile: 5120 1096
Fax: 7020 0978
Web: www.techbiz.dk
RE: Hijacked email accounts
Posted by Brent Kennedy <br...@cfl.rr.com>.
I have also noticed a lot of emails coming from valid domain services. I
have also noticed many of the stolen accounts are used to authenticate with
my blog posting engine to post spam to my blogs. It never reaches the blog
because I approve each entry, but it's been happening with increased
frequency.
The truth is, this is not a new trick, its comes and goes. Your real
protection is in the bayes rules and making sure you do not whitelist a
service like these.
If it helps....to assist with users who have accounts on gmail(or any
domain) who are sending email to internal customers, I apply an outbound
hidden line of text in every email that amounts to code. If the code is
seen in a reply, the email is given a -100 score, thus reducing false
positives for replied messages. It also ensures the conversation will most
likely not be interrupted. Its not 100% all the time since some users
clients delete replied sections of the email, but it does help.
body BK_RespondedTo /\bxXYyzb262011qa\b/i
score BK_RespondedTo -100.0
I think adding a rule as you suggest will only end up causing more false
positives.
-Brent
-----Original Message-----
From: David [mailto:wiki.apache.org@spam.lublink.net]
Sent: Monday, April 04, 2011 11:36 AM
To: users@spamassassin.apache.org
Subject: Hijacked email accounts
Hello,
I have noticed that recently almost all spam that makes it pass my spam
filters come from hijacked email accounts. Usually on services like
hotmail and yahoo ( sometimes from .com sometimes from country specific
domains ).
I wonder if perhaps a rule in spamassassin should add between 0.5 and
1.5 to the spam rating when it comes from a free webmail service like
hotmail and yahoo.
David