You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jason Haar <Ja...@trimble.co.nz> on 2008/03/18 22:36:03 UTC
any way to stop these tiny zip spams?
...we're getting around 15,000 per day at the moment: emails containing
one line of text and a <1Kbyte zip attachment (filename varies) - which
contains a spammy HTML file.
http://pastebin.com/m493f478c
I don't expect it'll last long as a delivery system, but currently only
RBL rules have any chance of catching such things.
Is there any way to get SA to scoring zip attachments that are <1Kbyte?
There can't be real zip files with such small sizes (?)
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: any way to stop these tiny zip spams?
Posted by Benny Pedersen <me...@junc.org>.
On Tue, March 18, 2008 22:36, Jason Haar wrote:
> ...we're getting around 15,000 per day at the moment: emails containing
> one line of text and a <1Kbyte zip attachment (filename varies) - which
> contains a spammy HTML file.
yes to late to stop the spam, but sender ip is listed in spamhaus, and the
sender ip is olso a botnet without reverse dns, botnet plugin finds this
> http://pastebin.com/m493f478c
for spamassassin get the jm sought rules, it hits there
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: BATV and whitelisting
Posted by John Hardin <jh...@impsec.org>.
On Wed, 9 Apr 2008, Rose, Bobby wrote:
> I'm staring to see BATV use increasing. Has anyone thought about how
> this effects whitelists, mta acls, etc? It looks like such things are
> broken because if an end-user whitelists joe@foo.com and BATV has the
> mail from as prvs=joe=1312@foo.com, then that whitelisting has no
> effect. And since the BATV signature changes, they can't whitelist that
> even if they new what batv signed address was for that sender.
>
> Any thought about how to resolve this?
SA will probably need to be modified to de-BATV the sender address before
checking the whitelists. See if there's a bugzilla entry for that, and add
one if there isn't.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The ["assault weapons"] ban is the moral equivalent of banning red
cars because they look too fast. -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
4 days until Thomas Jefferson's 265th Birthday
Re: BATV and whitelisting
Posted by Matt Kettler <mk...@evi-inc.com>.
Rose, Bobby wrote:
> I'm staring to see BATV use increasing. Has anyone thought about how
> this effects whitelists, mta acls, etc? It looks like such things are
> broken because if an end-user whitelists joe@foo.com and BATV has the
> mail from as prvs=joe=1312@foo.com, then that whitelisting has no
> effect. And since the BATV signature changes, they can't whitelist that
> even if they new what batv signed address was for that sender.
>
> Any thought about how to resolve this? I was thinking of stripping out
> the batv stuff to get the senders address for matching but I see
> different kinds of prvs= addresses out there. Some have
> prvs=xxxxx=joe@foo.com and others have prvs=joe=xxxx@foo.com
>
> Bobby
>
>
whiltelist pvrs*joe*@foo.com?
BATV and whitelisting
Posted by "Rose, Bobby" <br...@med.wayne.edu>.
I'm staring to see BATV use increasing. Has anyone thought about how
this effects whitelists, mta acls, etc? It looks like such things are
broken because if an end-user whitelists joe@foo.com and BATV has the
mail from as prvs=joe=1312@foo.com, then that whitelisting has no
effect. And since the BATV signature changes, they can't whitelist that
even if they new what batv signed address was for that sender.
Any thought about how to resolve this? I was thinking of stripping out
the batv stuff to get the senders address for matching but I see
different kinds of prvs= addresses out there. Some have
prvs=xxxxx=joe@foo.com and others have prvs=joe=xxxx@foo.com
Bobby