You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2017/09/14 18:27:27 UTC
In anyone else getting 325KB spams from contact@cron-job.org?
For about a month now I've been getting about 30 spams a day that are all in
the range of 325KB in size. This is all in two bogus style tags. The message
itself is usually just a few links, very offten to proffbuilder.com. The
from address is always a random name, but the email address is very often
contact@cron-job.org.
Other than being obvious spam, they seem to be set up as though they were
legitimate commercial mailing list stuff, often containing things like
contact-id and the like in the links.
Is anyone else seeing these?
Loren
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by jdow <jd...@earthlink.net>.
Hm, meant this to go to the list, too. The misdirection is part of why I am so
quiet on the list, which is why I forget the misbehavior, which reinforces the
problem when I reenter the list for a discussion. I gotta mess with my
.procmailrc file to rewrite the headers for SA list emails, I guess. Then I can
pester people better. {O,o} (Been using SA since the dark ages - before 2.20 if
I recall correctly.)
The fragment of email probably would not base64 decode. It was a fragment from
near one of the crossovers in its decorative layout design. This has been going
on for a long time now. I catch the spams via other tricks. The "from" headings
seem to be less imaginative then they could be.
Loren's actual problem of them leaking through goes back in history to the
really old days on a really slow old machine. (Hey - it made over 400 days
without a reboot during which it was relocated by about 70 miles to a new
"home".) Back then processing more than 250k was too time consuming for that
itty bitty machine. It has been replaced. But the .procmailrc recipe still
included the 250k hard wired in. AND there was no --max-size=xxxx. So I
corrected these, I thought. Alas I made it --max-size-xxxx thanks to a typo
probably when blowing my nose thanks to the stuffiness hangover from a
remarkably short head cold I had.
That is fixed now. But I'm mildly wondering if people are seeing that (real or
pseudo) base64 junk, in two parts with the real payload, a URL, stuck between them.
{^_^} Joanne
On 2017-09-14 15:35, Benny Pedersen wrote:
> jdow skrev den 2017-09-15 00:16:
>> On 2017-09-14 14:06, Benny Pedersen wrote:
>>> Dianne Skoll skrev den 2017-09-14 20:38:
>>>
>>>> https://cron-job.org/en/spam-statement/
>>>> They are victims of a joe-job.
>>>
>>> yes prove that is really is us
>>>
>>> if it goes, it goes
>>
>> Loren's canny enough to not blacklist an address based on the from
>> address. The common element in the messages he's been receiving is a
>> 325 kb payload and that "from" address. I'm sitting in the same room
>> as him on the same network and despite my incoming spam going up to
>> some 75 to 100/day (fron 1/4 of that last year) I am not getting those
>> specific spams.
>
> spamassassin here scans up to 1024K, so this could be first step for recipient
> to make, atleast i found that cron-job.org have valid spf record to reject in
> mta stage if forged mails from cron-job
>
> but if envelope sender is random it not possible to block it in mta stage, if
> thats the case it would make more sense to make clamav signature for content in
> this spams to be rejected in sendmail/milter stage
>
> i dont know exact spam from them or even seen ham aswell
>
> i self scan all mails in spampd so no exections here
>
>> I get varying lengths and widely varying subjects and from fields.
>> This is a small extract of the body with it's odd visual formatting.
>> (It really shows up if you have line wrapping enabled in a plain text
>> MUA.)
>
> aha, encodeing fails ?
>
>> QYC9LYOXDU89JN94BBNNV5XED3HBHIJJWPNYTM38GKBBEF52G4T4BO6
>> reny9phehn9n65ibtzjmp8mssof5lq4qkqh5s59l4ezpztqmp1kb8r6c13p
>> SZFCF44OC5IWAUYLFBY8HZE6TCY71DPXYJQLZ2VSLRJLFVSWKP3ERPVK
>> 2o3l61lnch8kfyub9ecnj2uv5oeg1zb2qdmfieeo84hzenq7devn4liwhy
>> E66ALUU4CIGV29JRRU6WPWZC4EI1WCP5M55SOZE8PBM9OH5U7WLUEGW8W
>> 1tsq2nanaolmpm21q164t5o1ry2wc5gcq25q8d72eanj87ep7stgq58wa
>> VPNGHS4AET938S0OH263OGOBK1HKV5NDUMJPVDQALPP1XXM9YFGG7YH7ZR
>> cteeydhbt8ak7ycksvpvy8yeu3db3wf9iazx7n8jo21xdhd5vafc24l0
>> V8K7ENHU8RAWL9WPPHHAC0ZVTWXL8R98GAJX5CDH7EKWZC64TM4VHVPTA86
>> chy2kxu9196hwzvgedt7giw8iq22e89gfymg2sf4s2nebuorx7pqjtq
>> 3SO1H0IYX7COZLSMVCGAS4N94AAV7XIWK0FE7WVDPO2W68DJM0FVQE3F0MP1
>>
>> With a fixed width font it looks almost like overlapping bat wings or
>> saw-tooth waveforms when laid on its side.
>
> base64 fails ? :=)
>
>>
>> {^_^}
>
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by Benny Pedersen <me...@junc.eu>.
Dianne Skoll skrev den 2017-09-14 20:38:
> https://cron-job.org/en/spam-statement/
> They are victims of a joe-job.
yes prove that is really is us
if it goes, it goes
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by Dianne Skoll <df...@roaringpenguin.com>.
Hi, again,
Aha...
https://cron-job.org/en/spam-statement/
They are victims of a joe-job.
Regards,
Dianne.
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by David Jones <dj...@ena.com>.
On 09/14/2017 01:37 PM, Dianne Skoll wrote:
> On Thu, 14 Sep 2017 11:27:27 -0700
> "Loren Wilton" <lw...@earthlink.net> wrote:
>
>> Other than being obvious spam, they seem to be set up as though they
>> were legitimate commercial mailing list stuff, often containing
>> things like contact-id and the like in the links.
>
>> Is anyone else seeing these?
>
> A small number. The contact@cron-job.org address is only in the From:
> header; the envelope recipients look randomly-generated and sometimes
> from unrelated domains.
>
> Should be easy to block. Just block the cron-job.org domain.
>
blacklist_from *@cron-job.org
whitelist_auth *@cron-job.org
This should allow messages passing SPF or DKIM and block all others,
correct?
> Regards,
>
> Dianne.
>
--
David Jones
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by Ian Zimmerman <it...@very.loosely.org>.
On 2017-09-15 13:32, RW wrote:
> The default is 500kB for spamc, 256kB is a default for sa-learn.
I have asked this before:
Does this mean 500 * 1000 bytes or 512 * 1024 bytes, or something else
still?
(this is relevant when configuring other stuff which only understands
straight byte counts with no suffixes)
--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by RW <rw...@googlemail.com>.
On Fri, 15 Sep 2017 00:39:35 +0100
Sebastian Arcus wrote:
> I had to add on my systems a while ago an
> /etc/mail/spamassassin/spamc.conf containing:
>
> -s 2000000
>
> to increase the maximum size of emails passed to SA. It seems some
> spammers have cottoned onto the fact that 256KB is still hardwired
> somewhere in SA, and started sending spam just above that threshold
> to bypass the filter.
The default is 500kB for spamc, 256kB is a default for sa-learn.
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 14/09/17 19:59, Loren Wilton wrote:
>>> Should be easy to block. Just block the cron-job.org domain.
>
> As someone else mentioned that address is an obvious joe-job. And
> scoring it high doesn't help that much. It worked for the first few
> weeks, then they went to contact@<random string> to presumably get
> around that. I was surprised to see in the last few that they had gone
> back to the cron-job.org domain for the fake sender.
>
> For some reason these are bypassing SA on my system, I suspect due to
> the size.
I had to add on my systems a while ago an
/etc/mail/spamassassin/spamc.conf containing:
-s 2000000
to increase the maximum size of emails passed to SA. It seems some
spammers have cottoned onto the fact that 256KB is still hardwired
somewhere in SA, and started sending spam just above that threshold to
bypass the filter.
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by Loren Wilton <lw...@earthlink.net>.
>> Should be easy to block. Just block the cron-job.org domain.
As someone else mentioned that address is an obvious joe-job. And scoring it
high doesn't help that much. It worked for the first few weeks, then they
went to contact@<random string> to presumably get around that. I was
surprised to see in the last few that they had gone back to the cron-job.org
domain for the fake sender.
For some reason these are bypassing SA on my system, I suspect due to the
size.
Loren
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 14 Sep 2017, Dianne Skoll wrote:
> On Thu, 14 Sep 2017 11:27:27 -0700
> "Loren Wilton" <lw...@earthlink.net> wrote:
>
>> Other than being obvious spam, they seem to be set up as though they
>> were legitimate commercial mailing list stuff, often containing
>> things like contact-id and the like in the links.
>
>> Is anyone else seeing these?
>
> A small number. The contact@cron-job.org address is only in the From:
> header; the envelope recipients look randomly-generated and sometimes
> from unrelated domains.
>
> Should be easy to block. Just block the cron-job.org domain.
Not to mention that the target URL "proffbuilder DOT com" is listed in several
URIBLs.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: In anyone else getting 325KB spams from contact@cron-job.org?
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Thu, 14 Sep 2017 11:27:27 -0700
"Loren Wilton" <lw...@earthlink.net> wrote:
> Other than being obvious spam, they seem to be set up as though they
> were legitimate commercial mailing list stuff, often containing
> things like contact-id and the like in the links.
> Is anyone else seeing these?
A small number. The contact@cron-job.org address is only in the From:
header; the envelope recipients look randomly-generated and sometimes
from unrelated domains.
Should be easy to block. Just block the cron-job.org domain.
Regards,
Dianne.