You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Joseph Acquisto <jo...@j4computers.com> on 2012/11/10 00:48:46 UTC

Sample of a nasty one IMHO

http://pastebin.com/H8NrruE1

An outfit that apparently not only does not honor unsubscribe requests, but may simply count hits.

I could be wrong.

joe a.

Re: Sample of a nasty one IMHO

Posted by Joseph Acquisto <jo...@j4computers.com>.

>>> On 11/10/2012 at 8:51 AM, Martin Gregorie <ma...@gregorie.org> wrote:
> On Sat, 2012-11-10 at 07:50 -0500, Joseph Acquisto wrote:
>> >>> On 11/10/2012 at 7:12 AM, Martin Gregorie <ma...@gregorie.org> wrote:
>> >>  After I posted, I went to put them on my local blacklist and saw that 
>> >> I had done this previously.   I wonder why it was not caught.   A
>> >> Cron job does sa-update twice a day, so it is unlikely not to have
>> >> been read.
>> >> 
>> > Don't forget that spamd is stopped and restarted during the daily
>> > update. Could the message's arrival coincide with this? 
>> > 
>> > Is your local blacklist also taken down while it is being updated and/or
>> > backed up?
>> 
>> Guess so, only using local.cf
>> 
>> > Mine isn't because I implement it with what I call a
>> > 'portmanteau rule', a single rule with several hundred alternative
>> > patterns. In this case the rule is looking for URI matches in message
>> > bodies because it was written to clean the message stream from a
>> > spam-laden mailing list: blacklists etc simply don't work in this
>> > situation because the headers relate to messages sent from the
>> > listserv.  
>> 
>> That's something I need to look at, I guess.
>> 
> The major downside is the pain of editing a single Kchars long line, so
> I wrote a fairly simple-minded script that uses gawk to transform a more
> easily editable source file, e.g. it puts each pattern on a separate
> line, into a validly formatted SA rule. Details are here:
> 
> http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz 
> 
>> AFA the CANSPAM thing goes, we shall see.  I only found a link to a
>> rather generic FTC complaint form, which I filled out, without much
>> sense of fulfillment.
>> 
> Can you post a URL for that, please.
> 
> 
> Martin

I first found this:

http://business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business 

Which has a link to:

https://www.ftccomplaintassistant.gov/

Which has some other info

and finally leads to:

https://www.ftccomplaintassistant.gov/FTC_Wizard.aspx?Lang=en

I soon got a confirmation that the complaint was received.

"Complaint Submitted  
Thank you for contacting the FTC. Your complaint has been entered into Consumer Sentinel, a secure online database available to thousands of civil and criminal law enforcement agencies worldwide. Your reference number is:xxxxx "

joe a.

Re: Sample of a nasty one IMHO

Posted by Martin Gregorie <ma...@gregorie.org>.

On Sat, 2012-11-10 at 07:50 -0500, Joseph Acquisto wrote:
> >>> On 11/10/2012 at 7:12 AM, Martin Gregorie <ma...@gregorie.org> wrote:
> >>  After I posted, I went to put them on my local blacklist and saw that 
> >> I had done this previously.   I wonder why it was not caught.   A
> >> Cron job does sa-update twice a day, so it is unlikely not to have
> >> been read.
> >> 
> > Don't forget that spamd is stopped and restarted during the daily
> > update. Could the message's arrival coincide with this? 
> > 
> > Is your local blacklist also taken down while it is being updated and/or
> > backed up?
> 
> Guess so, only using local.cf
> 
> > Mine isn't because I implement it with what I call a
> > 'portmanteau rule', a single rule with several hundred alternative
> > patterns. In this case the rule is looking for URI matches in message
> > bodies because it was written to clean the message stream from a
> > spam-laden mailing list: blacklists etc simply don't work in this
> > situation because the headers relate to messages sent from the
> > listserv.  
> 
> That's something I need to look at, I guess.
> 
The major downside is the pain of editing a single Kchars long line, so
I wrote a fairly simple-minded script that uses gawk to transform a more
easily editable source file, e.g. it puts each pattern on a separate
line, into a validly formatted SA rule. Details are here:

http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz

> AFA the CANSPAM thing goes, we shall see.  I only found a link to a
> rather generic FTC complaint form, which I filled out, without much
> sense of fulfillment.
> 
Can you post a URL for that, please.


Martin

Re: Sample of a nasty one IMHO

Posted by Joseph Acquisto <jo...@j4computers.com>.

>>> On 11/10/2012 at 7:12 AM, Martin Gregorie <ma...@gregorie.org> wrote:
>>  After I posted, I went to put them on my local blacklist and saw that 
>> I had done this previously.   I wonder why it was not caught.   A
>> Cron job does sa-update twice a day, so it is unlikely not to have
>> been read.
>> 
> Don't forget that spamd is stopped and restarted during the daily
> update. Could the message's arrival coincide with this? 
> 
> Is your local blacklist also taken down while it is being updated and/or
> backed up?

Guess so, only using local.cf

> Mine isn't because I implement it with what I call a
> 'portmanteau rule', a single rule with several hundred alternative
> patterns. In this case the rule is looking for URI matches in message
> bodies because it was written to clean the message stream from a
> spam-laden mailing list: blacklists etc simply don't work in this
> situation because the headers relate to messages sent from the
> listserv.  

That's something I need to look at, I guess.

> 
> Martin

AFA the CANSPAM thing goes, we shall see.  I only found a link to a
rather generic FTC complaint form, which I filled out, without much
sense of fulfillment.

joe a.

Re: Sample of a nasty one IMHO

Posted by Martin Gregorie <ma...@gregorie.org>.

> After I posted, I went to put them on my local blacklist and saw that 
> I had done this previously.   I wonder why it was not caught.   A
> Cron job does sa-update twice a day, so it is unlikely not to have
> been read.
> 
Don't forget that spamd is stopped and restarted during the daily
update. Could the message's arrival coincide with this? 

Is your local blacklist also taken down while it is being updated and/or
backed up? Mine isn't because I implement it with what I call a
'portmanteau rule', a single rule with several hundred alternative
patterns. In this case the rule is looking for URI matches in message
bodies because it was written to clean the message stream from a
spam-laden mailing list: blacklists etc simply don't work in this
situation because the headers relate to messages sent from the
listserv.  


Martin

Re: Sample of a nasty one IMHO

Posted by Joseph Acquisto <jo...@j4computers.com>.

>>> On 11/10/2012 at 11:35 AM, John Hardin <jh...@impsec.org> wrote:
> On Sat, 10 Nov 2012, Joseph Acquisto wrote:
> 
>> Should it not have been caught, anyway, they being a known spammer?
> 
> A "known spammer" that has sent you similar messages in the past?
> 
> I wonder that this got BAYES_50. Are you training daily?
> 
> -- 
>   John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/ 
>   jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org 
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>    Perfect Security and Absolute Safety are unattainable; beware
>    those who would try to sell them to you, regardless of the cost,
>    for they are trying to sell you your own slavery.
> -----------------------------------------------------------------------
>   Tomorrow: Veterans Day

Twice a day, actually, via cron jobs and a trivial script.

joe a.

Re: Sample of a nasty one IMHO

Posted by John Hardin <jh...@impsec.org>.

On Sat, 10 Nov 2012, Joseph Acquisto wrote:

> Should it not have been caught, anyway, they being a known spammer?

A "known spammer" that has sent you similar messages in the past?

I wonder that this got BAYES_50. Are you training daily?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Perfect Security and Absolute Safety are unattainable; beware
   those who would try to sell them to you, regardless of the cost,
   for they are trying to sell you your own slavery.
-----------------------------------------------------------------------
  Tomorrow: Veterans Day

Re: Sample of a nasty one IMHO

Posted by Joseph Acquisto <jo...@j4computers.com>.

>>> On 11/9/2012 at 8:13 PM, Martin Gregorie <ma...@gregorie.org> wrote:
> On Fri, 2012-11-09 at 18:48 -0500, Joseph Acquisto wrote:
>> http://pastebin.com/H8NrruE1 
>> 
>> An outfit that apparently not only does not honor unsubscribe
>> requests, but may simply count hits.
>> 
> ...and harvest the e-mail addresses of those unwary enough to try
> unsubscribing. The latter is quite likely, seeing that its a known
> spammer: it hits my private anti-gambling rules and it was already on my
> private blacklist.
> 
> =========
> BTW, I know that DMCA works (I've used it when stuff was lifted from my
> website without asking me or giving any attribution) but does the
> CANSPAM act have equivalent teeth? If so, I know one or two persistent
> US-based baby-goods spammers who ignore their 'unsubscribe' links. I'd
> quite like to set CANSPAM on them if its likely to do any good.
>  
> 
> Martin

After I posted, I went to put them on my local blacklist and saw that 
I had done this previously.   I wonder why it was not caught.   A
Cron job does sa-update twice a day, so it is unlikely not to have
been read.

Should it not have been caught, anyway, they being a known spammer?
I have added the suggestion in another thread to post scores for all rules
hit, so I may get a clue, later on.   Maybe not, tho, I've hidden all the 
2x4's.

joe a.

Re: Sample of a nasty one IMHO

Posted by Martin Gregorie <ma...@gregorie.org>.

On Fri, 2012-11-09 at 18:48 -0500, Joseph Acquisto wrote:
> http://pastebin.com/H8NrruE1
> 
> An outfit that apparently not only does not honor unsubscribe
> requests, but may simply count hits.
> 
...and harvest the e-mail addresses of those unwary enough to try
unsubscribing. The latter is quite likely, seeing that its a known
spammer: it hits my private anti-gambling rules and it was already on my
private blacklist.

=========
BTW, I know that DMCA works (I've used it when stuff was lifted from my
website without asking me or giving any attribution) but does the
CANSPAM act have equivalent teeth? If so, I know one or two persistent
US-based baby-goods spammers who ignore their 'unsubscribe' links. I'd
quite like to set CANSPAM on them if its likely to do any good.

Martin