You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Reindl Harald <h....@thelounge.net> on 2014/10/04 22:15:58 UTC
bad local parts (thisisjusttestletter)
i recently found "thisisjusttestletter@random-domain" as sender as well
as "thisisjusttestletter@random-of-our-domains" as RCPT in my logs and
remember that crap for many years now
well, postfix access maps after switch away from commercial
appliances - are there other well nown local-parts to add
to this list?
Re: bad local parts (thisisjusttestletter)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2014-10-05 at 02:43 +0200, Reindl Harald wrote:
> Am 05.10.2014 um 02:27 schrieb Karsten Bräckelmann:
> > On Sun, 2014-10-05 at 01:53 +0200, Reindl Harald wrote:
> >> Am 05.10.2014 um 01:41 schrieb Karsten Bräckelmann:
> >>> On Sat, 2014-10-04 at 22:15 +0200, Reindl Harald wrote:
> >>>> i recently found "thisisjusttestletter@random-domain" as sender as well
> >>>> as "thisisjusttestletter@random-of-our-domains" as RCPT in my logs and
> >>>> remember that crap for many years now
> >>>
> >>> Surely, SA would never see that message, since that's not an actual,
> >>> valid address at your domain. And you're not using catch-all, do you?
> >>>
> >>> (Yes, that question is somewhere between rhetoric and sarcastic.)
> >>
> >> but "thisisjusttestletter@random-domain" is a valid address in his
> >> domain until you prove the opposite with sender-verification and it's
> >> drawbacks
> >
> > Correct. And it is unsafe to assume any given address local part could
> > not possibly be valid and used as sender address in ham.
>
> most - any excludes that one honestly
I would agree, gladly. If only I would not have these pictures in my
head of an admin creating that as a deliverability testing address. Same
ball park as a Subject of "test". I almost can hear his accent...
> > If at all, such tests should be assigned a low-ish score, not used in
> > SMTP access map blacklisting. However, I seriously doubt it's actually
> > worthwhile to maintain such rules.
>
> agreed - i only asked if there are known other local parts
> of that sort because i noticed that one at least 5 years
> ago as annoying
Annoying? That was before using SA and with using catch-all, right?
So it was annoying back then. Doesn't explain why you're chasing it
today. How many of them can you find in your logs? Even including its
variants (e.g. "atall" appended), I assume the total number to be really
low. And, frankly, exclusively existent in SMTP logs rejecting the
message.
Unless there still is catch-all in effect, that should have been axed
some 10 years ago.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: bad local parts (thisisjusttestletter)
Posted by Reindl Harald <h....@thelounge.net>.
Am 05.10.2014 um 02:27 schrieb Karsten Bräckelmann:
> On Sun, 2014-10-05 at 01:53 +0200, Reindl Harald wrote:
>> Am 05.10.2014 um 01:41 schrieb Karsten Bräckelmann:
>>> On Sat, 2014-10-04 at 22:15 +0200, Reindl Harald wrote:
>>>> i recently found "thisisjusttestletter@random-domain" as sender as well
>>>> as "thisisjusttestletter@random-of-our-domains" as RCPT in my logs and
>>>> remember that crap for many years now
>>>
>>> Surely, SA would never see that message, since that's not an actual,
>>> valid address at your domain. And you're not using catch-all, do you?
>>>
>>> (Yes, that question is somewhere between rhetoric and sarcastic.)
>>
>> but "thisisjusttestletter@random-domain" is a valid address in his
>> domain until you prove the opposite with sender-verification and it's
>> drawbacks
>
> Correct. And it is unsafe to assume any given address local part could
> not possibly be valid and used as sender address in ham.
most - any excludes that one honestly
> If at all, such tests should be assigned a low-ish score, not used in
> SMTP access map blacklisting. However, I seriously doubt it's actually
> worthwhile to maintain such rules.
agreed - i only asked if there are known other local parts
of that sort because i noticed that one at least 5 years
ago as annoying
Re: bad local parts (thisisjusttestletter)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2014-10-05 at 01:53 +0200, Reindl Harald wrote:
> Am 05.10.2014 um 01:41 schrieb Karsten Bräckelmann:
> > On Sat, 2014-10-04 at 22:15 +0200, Reindl Harald wrote:
> > > i recently found "thisisjusttestletter@random-domain" as sender as well
> > > as "thisisjusttestletter@random-of-our-domains" as RCPT in my logs and
> > > remember that crap for many years now
> >
> > Surely, SA would never see that message, since that's not an actual,
> > valid address at your domain. And you're not using catch-all, do you?
> >
> > (Yes, that question is somewhere between rhetoric and sarcastic.)
>
> but "thisisjusttestletter@random-domain" is a valid address in his
> domain until you prove the opposite with sender-verification and it's
> drawbacks
Correct. And it is unsafe to assume any given address local part could
not possibly be valid and used as sender address in ham.
If at all, such tests should be assigned a low-ish score, not used in
SMTP access map blacklisting. However, I seriously doubt it's actually
worthwhile to maintain such rules.
> > > well, postfix access maps after switch away from commercial
> > > appliances - are there other well nown local-parts to add
> > > to this list?
> >
> > What would you need a blacklist of spammy address local parts for? Do
> > not accept messages to SMTP RCPT addresses that don't exist. Do not use
> > catch-all. Problem solved...
>
> don't get me wrong but you missed the 'i recently found
> "thisisjusttestletter@random-domain' as sender" at the start of my post
As sender, continued by "as well as [...] as RCPT" using the exact same
local part.
So you just found one such instance in your logs. And yes, I have seen
that very address local part, too, occasionally. Although only in SMTP
logs and AFAIR never ever in SMTP accepted spam, let alone FNs, because
just like your sample, they always sported a similarly invalid RCPT
address.
Did you ever see this in MAIL FROM with a *valid* RCPT TO address?
And did it end up scored low-ish? Below 15? Otherwise, it's just not
worth it.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: bad local parts (thisisjusttestletter)
Posted by Reindl Harald <h....@thelounge.net>.
Am 05.10.2014 um 01:41 schrieb Karsten Bräckelmann:
> On Sat, 2014-10-04 at 22:15 +0200, Reindl Harald wrote:
>> i recently found "thisisjusttestletter@random-domain" as sender as well
>> as "thisisjusttestletter@random-of-our-domains" as RCPT in my logs and
>> remember that crap for many years now
>
> Surely, SA would never see that message, since that's not an actual,
> valid address at your domain. And you're not using catch-all, do you?
>
> (Yes, that question is somewhere between rhetoric and sarcastic.)
but "thisisjusttestletter@random-domain" is a valid address in his
domain until you prove the opposite with sender-verification and it's
drawbacks
>> well, postfix access maps after switch away from commercial
>> appliances - are there other well nown local-parts to add
>> to this list?
>
> What would you need a blacklist of spammy address local parts for? Do
> not accept messages to SMTP RCPT addresses that don't exist. Do not use
> catch-all. Problem solved...
don't get me wrong but you missed the 'i recently found
"thisisjusttestletter@random-domain' as sender" at the start of my post
Re: bad local parts (thisisjusttestletter)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2014-10-04 at 22:15 +0200, Reindl Harald wrote:
> i recently found "thisisjusttestletter@random-domain" as sender as well
> as "thisisjusttestletter@random-of-our-domains" as RCPT in my logs and
> remember that crap for many years now
Surely, SA would never see that message, since that's not an actual,
valid address at your domain. And you're not using catch-all, do you?
(Yes, that question is somewhere between rhetoric and sarcastic.)
> well, postfix access maps after switch away from commercial
> appliances - are there other well nown local-parts to add
> to this list?
What would you need a blacklist of spammy address local parts for? Do
not accept messages to SMTP RCPT addresses that don't exist. Do not use
catch-all. Problem solved...
Other than that, this is an OT postfix question.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}