You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2015/07/02 02:56:44 UTC
Whatsapp spam
Hi guys,
I've been receiving a handful of spam claiming to be from whatsapp,
and I can't figure out how to block it.
http://pastebin.com/8E66QRkn
http://pastebin.com/KrTgKGh1
What does a legitimate whatsapp email look like? I've searched their
site, and their DNS entry doesn't even have an MX record, let alone
any indication of SPF, etc.
Bayes is obviously a problem, but my bayes db generally performs well.
I'm sure the domains in the body would be listed now, and probably the
source addresses too.
Ideas greatly appreciated.
Re: Whatsapp spam
Posted by Jeroen de Neef <je...@gmail.com>.
Hi,
You could look into training your Bayesian classifier.
Just use *sa-learn --spam filename*
To teach the filter that a message isn't spam use *sa-learn --spam filename*
2015-07-02 2:56 GMT+02:00 Alex <my...@gmail.com>:
> Hi guys,
>
> I've been receiving a handful of spam claiming to be from whatsapp,
> and I can't figure out how to block it.
>
> http://pastebin.com/8E66QRkn
> http://pastebin.com/KrTgKGh1
>
> What does a legitimate whatsapp email look like? I've searched their
> site, and their DNS entry doesn't even have an MX record, let alone
> any indication of SPF, etc.
>
> Bayes is obviously a problem, but my bayes db generally performs well.
> I'm sure the domains in the body would be listed now, and probably the
> source addresses too.
>
> Ideas greatly appreciated.
>
Re: Whatsapp spam
Posted by John Hardin <jh...@impsec.org>.
On Thu, 2 Jul 2015, Alex wrote:
> Hi,
>
> On Thu, Jul 2, 2015 at 12:07 PM, John Hardin <jh...@impsec.org> wrote:
>> On Thu, 2 Jul 2015, John Wilcock wrote:
>>
>>> Le 02/07/2015 04:23, Alex a écrit :
>>>>
>>>>> Not sure if the Unicode replace stuff will catch it, but you might try
>>>>>> this:
>>>>>>>> body FUZZY_DETAILS
>>>>>>>> /<D>(?:etails)<E><T><A><I><L><S>/i
>>>>>> replace_rules FUZZY_DETAILS
>>>> It doesn't catch it, and I don't know enough about replace_rules to
>>>> figure it out.
>>>
>>>
>>> Shouldn't that ?: be a ?!
>>
>> D'oh! Yes, you're correct. That was quick with no testing. (?: is programmed
>> a lot more firmly into my fingers than (?!
>
> This also doesn't fix it. Or did we determine this rule won't work
> anyway because of the changes necessary to 25_replace.cf?
That's likely but as yet unproven.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Your mouse has moved. Your Windows Operating System must be
relicensed due to this hardware change. Please contact Microsoft
to obtain a new activation key. If this hardware change results in
added functionality you may be subject to additional license fees.
Your system will now shut down. Thank you for choosing Microsoft.
-----------------------------------------------------------------------
2 days until the 239th anniversary of the Declaration of Independence
Re: Whatsapp spam
Posted by Alex <my...@gmail.com>.
Hi,
On Thu, Jul 2, 2015 at 12:07 PM, John Hardin <jh...@impsec.org> wrote:
> On Thu, 2 Jul 2015, John Wilcock wrote:
>
>> Le 02/07/2015 04:23, Alex a écrit :
>>>
>>> > Not sure if the Unicode replace stuff will catch it, but you might try
>>> > > this:
>>> > > > > body FUZZY_DETAILS
>>> > > > > /<D>(?:etails)<E><T><A><I><L><S>/i
>>> > > replace_rules FUZZY_DETAILS
>>> It doesn't catch it, and I don't know enough about replace_rules to
>>> figure it out.
>>
>>
>> Shouldn't that ?: be a ?!
>
> D'oh! Yes, you're correct. That was quick with no testing. (?: is programmed
> a lot more firmly into my fingers than (?!
This also doesn't fix it. Or did we determine this rule won't work
anyway because of the changes necessary to 25_replace.cf?
Re: Whatsapp spam
Posted by John Hardin <jh...@impsec.org>.
On Thu, 2 Jul 2015, John Wilcock wrote:
> Le 02/07/2015 04:23, Alex a écrit :
>> > Not sure if the Unicode replace stuff will catch it, but you might try
>> > this:
>> > >
>> > > body FUZZY_DETAILS /<D>(?:etails)<E><T><A><I><L><S>/i
>> > > replace_rules FUZZY_DETAILS
>> It doesn't catch it, and I don't know enough about replace_rules to
>> figure it out.
>
> Shouldn't that ?: be a ?!
D'oh! Yes, you're correct. That was quick with no testing. (?: is
programmed a lot more firmly into my fingers than (?!
Sorry!
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim IV: Close air support covereth a multitude of sins.
-----------------------------------------------------------------------
2 days until the 239th anniversary of the Declaration of Independence
Re: Whatsapp spam
Posted by John Wilcock <jo...@tradoc.fr>.
Le 02/07/2015 04:23, Alex a écrit :
>> Not sure if the Unicode replace stuff will catch it, but you might try this:
>> >
>> > body FUZZY_DETAILS /<D>(?:etails)<E><T><A><I><L><S>/i
>> > replace_rules FUZZY_DETAILS
> It doesn't catch it, and I don't know enough about replace_rules to
> figure it out.
Shouldn't that ?: be a ?!
--
John
Re: Whatsapp spam
Posted by John Hardin <jh...@impsec.org>.
On Thu, 2 Jul 2015, John Wilcock wrote:
> Le 02/07/2015 04:50, John Hardin a écrit :
>> > Is there supposed to be an existing FUZZY_DETAILS rule?
>>
>> I don't think so.
>
> If you were to envisage such a rule, it's worth noting that it would almost
> certainly need a special case to avoid FPs on genuine French "détails" with
> an acute accent. There could conceivably be other potential FPs in other
> languages too, of course.
True. It wouldn't be a poison-pill rule by any means.
I haven't looked up the Unicode that's used in the spample, could
that be what they've done there?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim IV: Close air support covereth a multitude of sins.
-----------------------------------------------------------------------
2 days until the 239th anniversary of the Declaration of Independence
Re: Whatsapp spam
Posted by John Wilcock <jo...@tradoc.fr>.
Le 02/07/2015 04:50, John Hardin a écrit :
>> Is there supposed to be an existing FUZZY_DETAILS rule?
>
> I don't think so.
If you were to envisage such a rule, it's worth noting that it would
almost certainly need a special case to avoid FPs on genuine French
"détails" with an acute accent. There could conceivably be other
potential FPs in other languages too, of course.
FWIW,
John
Re: Whatsapp spam
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Jul 2015, Alex wrote:
> Hi,
>
>>> I've been receiving a handful of spam claiming to be from whatsapp,
>>> and I can't figure out how to block it.
>>>
>>> http://pastebin.com/8E66QRkn
>>> http://pastebin.com/KrTgKGh1
>>>
>>> What does a legitimate whatsapp email look like? I've searched their
>>> site, and their DNS entry doesn't even have an MX record, let alone
>>> any indication of SPF, etc.
>>>
>>> Bayes is obviously a problem, but my bayes db generally performs well.
>>> I'm sure the domains in the body would be listed now, and probably the
>>> source addresses too.
>>>
>>> Ideas greatly appreciated.
>>
>> It looks like they are doing unicode obfuscation of text in the body:
>>
>> WhatsApp W=C3=A8b You h=C3=A4ve a new message D=C3=A8tails:
>>
>> Not sure if the Unicode replace stuff will catch it, but you might try this:
>>
>> body FUZZY_DETAILS /<D>(?:etails)<E><T><A><I><L><S>/i
>> replace_rules FUZZY_DETAILS
>
> It doesn't catch it, and I don't know enough about replace_rules to
> figure it out.
Rats. It would probably involve changes to 25_replace.cf
> Is there supposed to be an existing FUZZY_DETAILS rule?
I don't think so.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
[For Earth Day] Obama flew a 747 all the way to the Everglades
then rode in a massive SUV motorcade to tell you
to cut carbon emissions. -- Twitter satirist @hale_razor
-----------------------------------------------------------------------
3 days until the 239th anniversary of the Declaration of Independence
Re: Whatsapp spam
Posted by Alex <my...@gmail.com>.
Hi,
>> I've been receiving a handful of spam claiming to be from whatsapp,
>> and I can't figure out how to block it.
>>
>> http://pastebin.com/8E66QRkn
>> http://pastebin.com/KrTgKGh1
>>
>> What does a legitimate whatsapp email look like? I've searched their
>> site, and their DNS entry doesn't even have an MX record, let alone
>> any indication of SPF, etc.
>>
>> Bayes is obviously a problem, but my bayes db generally performs well.
>> I'm sure the domains in the body would be listed now, and probably the
>> source addresses too.
>>
>> Ideas greatly appreciated.
>
>
> It looks like they are doing unicode obfuscation of text in the body:
>
> WhatsApp W=C3=A8b You h=C3=A4ve a new message D=C3=A8tails:
>
> Not sure if the Unicode replace stuff will catch it, but you might try this:
>
> body FUZZY_DETAILS /<D>(?:etails)<E><T><A><I><L><S>/i
> replace_rules FUZZY_DETAILS
It doesn't catch it, and I don't know enough about replace_rules to
figure it out. Is there supposed to be an existing FUZZY_DETAILS rule?
It appears to lint okay.
It's also interesting that the domains listed in both samples aren't
already blacklisted.
Re: Whatsapp spam
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Jul 2015, Alex wrote:
> I've been receiving a handful of spam claiming to be from whatsapp,
> and I can't figure out how to block it.
>
> http://pastebin.com/8E66QRkn
> http://pastebin.com/KrTgKGh1
>
> What does a legitimate whatsapp email look like? I've searched their
> site, and their DNS entry doesn't even have an MX record, let alone
> any indication of SPF, etc.
>
> Bayes is obviously a problem, but my bayes db generally performs well.
> I'm sure the domains in the body would be listed now, and probably the
> source addresses too.
>
> Ideas greatly appreciated.
It looks like they are doing unicode obfuscation of text in the body:
WhatsApp W=C3=A8b You h=C3=A4ve a new message D=C3=A8tails:
Not sure if the Unicode replace stuff will catch it, but you might try
this:
body FUZZY_DETAILS /<D>(?:etails)<E><T><A><I><L><S>/i
replace_rules FUZZY_DETAILS
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We should endeavour to teach our children to be gun-proof
rather than trying to design our guns to be child-proof
-----------------------------------------------------------------------
3 days until the 239th anniversary of the Declaration of Independence
Re: Whatsapp spam
Posted by RW <rw...@googlemail.com>.
On Thu, 02 Jul 2015 23:40:04 +0200
Benny Pedersen wrote:
> RW skrev den 2015-07-02 23:21:
> > On Thu, 02 Jul 2015 19:21:12 +0200
> > Benny Pedersen wrote:
> >> co.dk was dropped before it got populary, i dont like to se tlds
> >> that try to force nic to sell less,
> >
> > I'm not sure what you are trying to say here, but direct .uk domains
> > have only been available for a year, and .uk and .co.uk are both
> > managed by Nominet.
>
> the issue i pointed out is that why get domains payed on a non tld ?,
For the same reasons that the US created .com .edu etc. The actual
names come from before modern DNS when British servers ran on the
coloured book protocols over X.25 and had names in the form:
uk.co.example.name
co for company, ac for academic community etc
Re: Whatsapp spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 02.07.2015 um 23:40 schrieb Benny Pedersen:
> RW skrev den 2015-07-02 23:21:
>> On Thu, 02 Jul 2015 19:21:12 +0200
>> Benny Pedersen wrote:
>>
>>> John Hardin skrev den 2015-07-02 19:08:
>>>
>>> >> # if version >3.3.x
>>> >> blacklist_uri_hosts co.uk
>>> >
>>> > That seems to be a rather big hammer you're recommending. Of course,
>>> > if you don't do any business with anyone in the UK (and don't ever
>>> > intend to) it may be reasonable.
>>>
>>> co.dk was dropped before it got populary, i dont like to se tlds that
>>> try to force nic to sell less,
>>
>> I'm not sure what you are trying to say here, but direct .uk domains
>> have only been available for a year, and .uk and .co.uk are both
>> managed by Nominet.
>
> whitelist_uri_hosts example.co.uk
> but imho none asked if i whitelisted
it don't matter at all
> the issue i pointed out is that why get domains payed on a non tld ?, or
> is co.uk really a tld ?, co.dk is not
in other words: you have no clue what you are talking about and bring
examples which would lead straight to hell if anybody starts using them
that's fine in general, but than don't recommend things
https://en.wikipedia.org/wiki/Second-level_domain
Re: Whatsapp spam
Posted by Benny Pedersen <me...@junc.eu>.
RW skrev den 2015-07-02 23:21:
> On Thu, 02 Jul 2015 19:21:12 +0200
> Benny Pedersen wrote:
>
>> John Hardin skrev den 2015-07-02 19:08:
>>
>> >> # if version >3.3.x
>> >> blacklist_uri_hosts co.uk
>> >
>> > That seems to be a rather big hammer you're recommending. Of course,
>> > if you don't do any business with anyone in the UK (and don't ever
>> > intend to) it may be reasonable.
>>
>> co.dk was dropped before it got populary, i dont like to se tlds that
>> try to force nic to sell less,
>
> I'm not sure what you are trying to say here, but direct .uk domains
> have only been available for a year, and .uk and .co.uk are both
> managed by Nominet.
whitelist_uri_hosts example.co.uk
but imho none asked if i whitelisted
the issue i pointed out is that why get domains payed on a non tld ?, or
is co.uk really a tld ?, co.dk is not
Re: Whatsapp spam
Posted by RW <rw...@googlemail.com>.
On Thu, 02 Jul 2015 19:21:12 +0200
Benny Pedersen wrote:
> John Hardin skrev den 2015-07-02 19:08:
>
> >> # if version >3.3.x
> >> blacklist_uri_hosts co.uk
> >
> > That seems to be a rather big hammer you're recommending. Of course,
> > if you don't do any business with anyone in the UK (and don't ever
> > intend to) it may be reasonable.
>
> co.dk was dropped before it got populary, i dont like to se tlds that
> try to force nic to sell less,
I'm not sure what you are trying to say here, but direct .uk domains
have only been available for a year, and .uk and .co.uk are both
managed by Nominet.
Re: Whatsapp spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 02.07.2015 um 19:21 schrieb Benny Pedersen:
> John Hardin skrev den 2015-07-02 19:08:
>
>>> # if version >3.3.x
>>> blacklist_uri_hosts co.uk
>>
>> That seems to be a rather big hammer you're recommending. Of course,
>> if you don't do any business with anyone in the UK (and don't ever
>> intend to) it may be reasonable.
>
> co.dk was dropped before it got populary, i dont like to se tlds that
> try to force nic to sell less, yes i know its a big hammer, but i dont
> like it anyway to see coopreting firms jumbs into the same blacklists
>
> https://www.dk-hostmaster.dk/index.php?id=42&query=co.dk&submit=S%F8g
>
> http://co.dk/
>
> ERR_NAME_RESOLUTION_FAILED
>
> does co.uk handle it better ?
90% if not more of UK sites are using co.uk
"try to force nic to sell less" makes zero sense
Re: Whatsapp spam
Posted by Benny Pedersen <me...@junc.eu>.
John Hardin skrev den 2015-07-02 19:08:
>> # if version >3.3.x
>> blacklist_uri_hosts co.uk
>
> That seems to be a rather big hammer you're recommending. Of course,
> if you don't do any business with anyone in the UK (and don't ever
> intend to) it may be reasonable.
co.dk was dropped before it got populary, i dont like to se tlds that
try to force nic to sell less, yes i know its a big hammer, but i dont
like it anyway to see coopreting firms jumbs into the same blacklists
https://www.dk-hostmaster.dk/index.php?id=42&query=co.dk&submit=S%F8g
http://co.dk/
ERR_NAME_RESOLUTION_FAILED
does co.uk handle it better ?
Re: Whatsapp spam
Posted by John Hardin <jh...@impsec.org>.
On Thu, 2 Jul 2015, Benny Pedersen wrote:
> Alex skrev den 2015-07-02 02:56:
>
>> http: //pastebin.com/8E66QRkn
>> http: //pastebin.com/KrTgKGh1
>
> # if version >3.3.x
> blacklist_uri_hosts co.uk
That seems to be a rather big hammer you're recommending. Of course, if
you don't do any business with anyone in the UK (and don't ever intend to)
it may be reasonable.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #4: If your shooting stance is good,
you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
2 days until the 239th anniversary of the Declaration of Independence
Re: Whatsapp spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 03.07.2015 um 15:17 schrieb Alex:
>> not necessarily, they all have different sources...
>> not all sources see the same traffic...
>
> Then that's a shame that all those people have seen it, and not a
> single one has reported it to any blacklists
blacklists are not the ultimate answer - snowshoe spam is distributed
from so many sources and hacked freemail accounts and you really don't
have all freemailers hard blocked
that's the purpose of a contentfilter
the point fo using ixhash, razor *and* pyzor is that all of them have
false positives and so you don't want them score too high *but* if 2 or
3 of them hit the total score is high enough
there is also "DIGEST_MULTIPLE" if razor *and* pyzor hits, sadly ixhash2
is not taken into account for that
current month here:
DIGEST_MULTIPLE: 35
RAZOR: 187
PYZOR: 225
IXHASH: 94
______________________________________
current scoring on our side
# remote hash services
use_pyzor 1
pyzor_path /usr/bin/pyzor
score PYZOR_CHECK 0.5
score RAZOR2_CHECK 0.5
score RAZOR2_CF_RANGE_51_100 0.5
score RAZOR2_CF_RANGE_E4_51_100 1.5
score RAZOR2_CF_RANGE_E8_51_100 2.0
score GENERIC_IXHASH 1.5
score NIXSPAM_IXHASH 1.5
score SEM_IXHASH 1.5
describe GENERIC_IXHASH http://wiki.apache.org/spamassassin/iXhash
describe NIXSPAM_IXHASH http://wiki.apache.org/spamassassin/iXhash
describe SEM_IXHASH http://wiki.apache.org/spamassassin/iXhash
score DIGEST_MULTIPLE 2.0
Re: Whatsapp spam
Posted by Alex <my...@gmail.com>.
Hi,
>>> www.heise.de/ix/foren/S-iXHash-Plugin-ein-paar-Empfehlungen/forum-48292/msg-22474602/read/
>>
>>
>> Yes, apologies; I didn't mean to suggest that. I'll have to take your
>> word for it since the page is in German, but will check it out.
>
> ever heard of translate.google.com
>
> https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=www.heise.de%2Fix%2Fforen%2FS-iXHash-Plugin-ein-paar-Empfehlungen%2Fforum-48292%2Fmsg-22474602%2Fread%2F&edit-text=&act=url
>
> may not be perfect but one gets the meaning
Everyone takes things so literally :-) I could read enough to know
there wasn't all that much there anyway.
>>> if BL traps/feeds don't see a hacked site's URL/spam sample they can't
>>> list
>>> it.
>>
>>
>> Yes, of course; I was more or less just commenting that it was weird
>> to apparently be one of the few seeing this. I've already added them
>> to my local RBL.
>>
>> It also means that Razor, and ixhash, would suffer in a similar way
>> with this one...
>
>
> not necessarily, they all have different sources...
> not all sources see the same traffic...
Then that's a shame that all those people have seen it, and not a
single one has reported it to any blacklists.
Thanks again
>
Re: Whatsapp spam
Posted by RW <rw...@googlemail.com>.
On Fri, 03 Jul 2015 15:06:35 +0200
Axb wrote:
> ever heard of translate.google.com
>
> https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=www.heise.de%2Fix%2Fforen%2FS-iXHash-Plugin-ein-paar-Empfehlungen%2Fforum-48292%2Fmsg-22474602%2Fread%2F&edit-text=&act=url
>
> may not be perfect but one gets the meaning
But note that "the configuration must not be changed" should have been
translated as "the configuration *need* not be changed".
Re: Whatsapp spam
Posted by Axb <ax...@gmail.com>.
On 03.07.2015 15:00, Alex wrote:
> Hi,
>
>>>> tried iXhash? (I assume you're also using Razor)
>>>
>>>
>>> I am using Razor, but is iXhash still being developed and used in
>>> production? It appears the last development was in 2013, and their
>>> website has dead links...
>>
>> I would hardly suggest using something which is dead....
>>
>> http://sourceforge.net/projects/ixhash/
>>
>> see "User Reviews" :
>>
>> There is a newer (inofficial) plugin at mailfud.org/iXhash2/ Recommended by
>> original author at:
>> www.heise.de/ix/foren/S-iXHash-Plugin-ein-paar-Empfehlungen/forum-48292/msg-22474602/read/
>
> Yes, apologies; I didn't mean to suggest that. I'll have to take your
> word for it since the page is in German, but will check it out.
ever heard of translate.google.com
https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=www.heise.de%2Fix%2Fforen%2FS-iXHash-Plugin-ein-paar-Empfehlungen%2Fforum-48292%2Fmsg-22474602%2Fread%2F&edit-text=&act=url
may not be perfect but one gets the meaning
>
>>> Surprisingly to me, neither URL referenced in the samples
>>> (auction.greendust.com and ubidibid.com) have yet to be added to a
>>> blacklist, which to me means they either just haven't yet been added,
>>> or the links are some kind of hacked accounts that redirect to another
>>> site.
>>
>> if BL traps/feeds don't see a hacked site's URL/spam sample they can't list
>> it.
>
> Yes, of course; I was more or less just commenting that it was weird
> to apparently be one of the few seeing this. I've already added them
> to my local RBL.
>
> It also means that Razor, and ixhash, would suffer in a similar way
> with this one...
not necessarily, they all have different sources...
not all sources see the same traffic...
Re: Whatsapp spam
Posted by Alex <my...@gmail.com>.
Hi,
>>> tried iXhash? (I assume you're also using Razor)
>>
>>
>> I am using Razor, but is iXhash still being developed and used in
>> production? It appears the last development was in 2013, and their
>> website has dead links...
>
> I would hardly suggest using something which is dead....
>
> http://sourceforge.net/projects/ixhash/
>
> see "User Reviews" :
>
> There is a newer (inofficial) plugin at mailfud.org/iXhash2/ Recommended by
> original author at:
> www.heise.de/ix/foren/S-iXHash-Plugin-ein-paar-Empfehlungen/forum-48292/msg-22474602/read/
Yes, apologies; I didn't mean to suggest that. I'll have to take your
word for it since the page is in German, but will check it out.
>> Surprisingly to me, neither URL referenced in the samples
>> (auction.greendust.com and ubidibid.com) have yet to be added to a
>> blacklist, which to me means they either just haven't yet been added,
>> or the links are some kind of hacked accounts that redirect to another
>> site.
>
> if BL traps/feeds don't see a hacked site's URL/spam sample they can't list
> it.
Yes, of course; I was more or less just commenting that it was weird
to apparently be one of the few seeing this. I've already added them
to my local RBL.
It also means that Razor, and ixhash, would suffer in a similar way
with this one...
Re: Whatsapp spam
Posted by Axb <ax...@gmail.com>.
On 03.07.2015 04:15, Alex wrote:
> Hi,
>
> On Thu, Jul 2, 2015 at 10:58 AM, Axb <ax...@gmail.com> wrote:
>> On 02.07.2015 02:56, Alex wrote:
>>>
>>> Hi guys,
>>>
>>> I've been receiving a handful of spam claiming to be from whatsapp,
>>> and I can't figure out how to block it.
>>>
>>> http://pastebin.com/8E66QRkn
>>> http://pastebin.com/KrTgKGh1
>>>
>>> What does a legitimate whatsapp email look like? I've searched their
>>> site, and their DNS entry doesn't even have an MX record, let alone
>>> any indication of SPF, etc.
>>>
>>> Bayes is obviously a problem, but my bayes db generally performs well.
>>> I'm sure the domains in the body would be listed now, and probably the
>>> source addresses too.
>>>
>>> Ideas greatly appreciated.
>>>
>>
>> tried iXhash? (I assume you're also using Razor)
>
> I am using Razor, but is iXhash still being developed and used in
> production? It appears the last development was in 2013, and their
> website has dead links...
I would hardly suggest using something which is dead....
http://sourceforge.net/projects/ixhash/
see "User Reviews" :
There is a newer (inofficial) plugin at mailfud.org/iXhash2/ Recommended
by original author at:
www.heise.de/ix/foren/S-iXHash-Plugin-ein-paar-Empfehlungen/forum-48292/msg-22474602/read/
> Surprisingly to me, neither URL referenced in the samples
> (auction.greendust.com and ubidibid.com) have yet to be added to a
> blacklist, which to me means they either just haven't yet been added,
> or the links are some kind of hacked accounts that redirect to another
> site.
if BL traps/feeds don't see a hacked site's URL/spam sample they can't
list it.
Re: Whatsapp spam
Posted by Alex <my...@gmail.com>.
Hi,
On Thu, Jul 2, 2015 at 10:58 AM, Axb <ax...@gmail.com> wrote:
> On 02.07.2015 02:56, Alex wrote:
>>
>> Hi guys,
>>
>> I've been receiving a handful of spam claiming to be from whatsapp,
>> and I can't figure out how to block it.
>>
>> http://pastebin.com/8E66QRkn
>> http://pastebin.com/KrTgKGh1
>>
>> What does a legitimate whatsapp email look like? I've searched their
>> site, and their DNS entry doesn't even have an MX record, let alone
>> any indication of SPF, etc.
>>
>> Bayes is obviously a problem, but my bayes db generally performs well.
>> I'm sure the domains in the body would be listed now, and probably the
>> source addresses too.
>>
>> Ideas greatly appreciated.
>>
>
> tried iXhash? (I assume you're also using Razor)
I am using Razor, but is iXhash still being developed and used in
production? It appears the last development was in 2013, and their
website has dead links...
Surprisingly to me, neither URL referenced in the samples
(auction.greendust.com and ubidibid.com) have yet to be added to a
blacklist, which to me means they either just haven't yet been added,
or the links are some kind of hacked accounts that redirect to another
site.
Re: Whatsapp spam
Posted by Axb <ax...@gmail.com>.
On 02.07.2015 02:56, Alex wrote:
> Hi guys,
>
> I've been receiving a handful of spam claiming to be from whatsapp,
> and I can't figure out how to block it.
>
> http://pastebin.com/8E66QRkn
> http://pastebin.com/KrTgKGh1
>
> What does a legitimate whatsapp email look like? I've searched their
> site, and their DNS entry doesn't even have an MX record, let alone
> any indication of SPF, etc.
>
> Bayes is obviously a problem, but my bayes db generally performs well.
> I'm sure the domains in the body would be listed now, and probably the
> source addresses too.
>
> Ideas greatly appreciated.
>
tried iXhash? (I assume you're also using Razor)
Re: Whatsapp spam
Posted by Axb <ax...@gmail.com>.
On 02.07.2015 18:52, Benny Pedersen wrote:
>
> # if version >3.3.x
> blacklist_uri_hosts co.uk
Lets blame a heatwave...
you can't be serious suggesting such a thing in public
Re: Whatsapp spam
Posted by Benny Pedersen <me...@junc.eu>.
Alex skrev den 2015-07-02 02:56:
> http://pastebin.com/8E66QRkn
> http://pastebin.com/KrTgKGh1
# if version >3.3.x
blacklist_uri_hosts co.uk
# for all versions
and sagrey plugin, track single ipv4, and ipv6 /64
i dont use txrep since it seems its does not yet works with sagrey :/