You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ned Slider <ne...@unixmail.co.uk> on 2012/09/01 02:14:59 UTC
Anyone from ReturnPath want to deal with this
Hi list,
Would anyone from ReturnPath care to take a look at the following:
Received: from mail5.eventbrite.com (mail5.eventbrite.com [67.192.45.102])
which just spammed a contact@ address scraped off website and has -5pts
awarded by ReturnPath:
RCVD_IN_RP_CERTIFIED=-3
RCVD_IN_RP_SAFE=-2
sent "from" miracle_murphy@hotmail.com
Compromised server/account maybe??
Happy to submit a fully unredacted sample off list. Not happy seeing
spam sail through with -5pts from ReturnPath.
Thanks.
Re: Anyone from ReturnPath want to deal with this
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Tom,
Friday, October 12, 2012, 3:16:15 PM, you wrote:
TB> Still, it would be helpful if you sent a complaint and message details to our team.
Was done at the same time I posted here :)
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Anyone from ReturnPath want to deal with this
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Tom,
Wednesday, September 5, 2012, 3:39:04 PM, you wrote:
TB> Certified members should not be sending to scraped addresses as
TB> indicated. Eventbrite allows folks to setup events and upload
TB> associated addresses. Based on the reputation data we have for
TB> them (complaints, trap hits) across our network (some of that data
TB> summarized here
TB> https://www.senderscore.org/lookup.php?lookup=67.192.45.102), this
TB> does not appear to be a widespread problem - however we will of
TB> course reach out to them to investigate and ensure they identify
TB> the offending user and handle properly.
Eventbrite have just been used to spam us :(
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Anyone from ReturnPath want to deal with this
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Darxus,
Wednesday, September 12, 2012, 3:23:56 PM, you wrote:
dcc> What rules do not list the IP?
My home rolled ones :)
So if there is a guide as to what I should to to sort it that'd be
great
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Anyone from ReturnPath want to deal with this
Posted by Greg Troxel <gd...@ir.bbn.com>.
darxus@chaosreigns.com writes:
> On 09/08, Greg Troxel wrote:
>> Some rules seem to have the description include the IP address that
>> was looked up in the whitelist/blacklist. Others don't, and it makes it
>> a bit hard to guess (since trusted/etc. processing is slightly tricky).
>> So I think it would be good if all dnsbl rules listed the IP address
>> that hit.
>
> I agree. What rules do not list the IP? I think this is something worth
> opening a bug for, if you can specify the rules.
It seems things have gotten a lot better since I first noticed this
issue. I went looking in relatively recent spam (that scored <= 6), and
found the following rules that could benefit from better specifying what
they are complaining about.
* 0.4 DNS_FROM_RFC_ABUSE DNS_FROM_RFC_ABUSE
* 0.1 DNS_FROM_RFC_POST DNS_FROM_RFC_POST
* 0.1 DNS_FROM_RFC_WHOIS DNS_FROM_RFC_WHOIS
* 2.0 RCVD_IN_SSBL RCVD_IN_SSBL
* 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 RCVD_NOT_IN_IPREPDNS Sender not listed at
* http://www.chaosreigns.com/iprep/
(the other IPREPDNS rules give the address)
Re: Anyone from ReturnPath want to deal with this
Posted by Axb <ax...@gmail.com>.
On 09/12/2012 05:54 PM, Martin Gregorie wrote:
> On Wed, 2012-09-12 at 10:23 -0400, darxus@chaosreigns.com wrote:
>> On 09/08, Greg Troxel wrote:
>>> Some rules seem to have the description in iclude the IP address that
>>> was looked up in the whitelist/blacklist. Others don't, and it makes it
>>> a bit hard to guess (since trusted/etc. processing is slightly tricky).
>>> So I think it would be good if all dnsbl rules listed the IP address
>>> that hit.
>>
>> I agree. What rules do not list the IP? I think this is something worth
>> opening a bug for, if you can specify the rules.
>>
> If it can be done simply, it would be useful to make this capability
> available to other classes of rules as well, e.g. uri scanners.
URI scanners include it already
like
* 2.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: example.net]
(a real spamvertized URL was rejected :)
Re: Anyone from ReturnPath want to deal with this
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2012-09-12 at 10:23 -0400, darxus@chaosreigns.com wrote:
> On 09/08, Greg Troxel wrote:
> > Some rules seem to have the description in iclude the IP address that
> > was looked up in the whitelist/blacklist. Others don't, and it makes it
> > a bit hard to guess (since trusted/etc. processing is slightly tricky).
> > So I think it would be good if all dnsbl rules listed the IP address
> > that hit.
>
> I agree. What rules do not list the IP? I think this is something worth
> opening a bug for, if you can specify the rules.
>
If it can be done simply, it would be useful to make this capability
available to other classes of rules as well, e.g. uri scanners.
Martin
Re: Anyone from ReturnPath want to deal with this
Posted by da...@chaosreigns.com.
On 09/08, Greg Troxel wrote:
> Some rules seem to have the description in iclude the IP address that
> was looked up in the whitelist/blacklist. Others don't, and it makes it
> a bit hard to guess (since trusted/etc. processing is slightly tricky).
> So I think it would be good if all dnsbl rules listed the IP address
> that hit.
I agree. What rules do not list the IP? I think this is something worth
opening a bug for, if you can specify the rules.
--
"When you think of the long and gloomy history of man, you will find
more hideous crimes have been committed in the name of obedience than
have ever been committed in the name of rebellion." - C. P. Snow
http://www.ChaosReigns.com
Re: Anyone from ReturnPath want to deal with this
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 9/5/2012 5:19 PM, Axb wrote:
> On 09/05/2012 11:07 PM, Kevin A. McGrail wrote:
>
>> describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified
>> (trusted relay) - Questions/Concerns/Abuse? cert-sa@returnpath.net
>> describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted relay)
>> - Questions/Concerns/Abuse? safe-sa@returnpath.net
>> describe RCVD_IN_RP_RNBL Relay in RNBL,
>> https://senderscore.org/blacklistlookup/
>
> and btw:
>
> Why don't THEY add the headers instead of having SA give away cycles
> for something 99% don't ever use or see ?
I don't understand this question. How would a third party DNS-based
lookup add headers?
> Now if SA devs think this is absolutely necessary (I don't):
>
> Must those descriptions be so long?
I'm open to changes hence my three or so emails asking for recommended
verbiage ;-)
> RCVD_IN_RP_CERTIFIED Return Path Certified Sender -
> Contact:cert-sa@returnpath.net
>
> RCVD_IN_RP_SAFE Return Path Safe Sender - Contact:safe-sa@returnpath.net
>
> Would be less obtrussive and not break reports so badly
OK if you think that is enough information. Perhaps a landing page to an
SA wiki and then use that to clarify things more like we did for DNSWL's?
Regards,
KAM
--
*Kevin A. McGrail*
President
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
http://www.pccc.com/
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-359-8451 (fax)
KMcGrail@PCCC.com <ma...@pccc.com>
RE: Anyone from ReturnPath want to deal with this
Posted by Tom Bartel <to...@returnpath.net>.
> -----Original Message-----
> From: Axb [mailto:axb.lists@gmail.com]
> Sent: Thursday, September 06, 2012 1:11 AM
> To: users@spamassassin.apache.org
> Subject: Re: Anyone from ReturnPath want to deal with this
>
> On 09/05/2012 11:28 PM, Tom Bartel wrote:
>
> > A tad shorter?
> >
> > RCVD_IN_RP_CERTIFIED Return Path Certified - Contact:cert-
> sa@returnpath.net
> > RCVD_IN_RP_SAFE Return Path Safe - Contact:safe-sa@returnpath.net
>
> As per suggestions and KAM comments, committed:
>
> describe RCVD_IN_RP_SAFE Sender in ReturnPath Safe - Contact
> safe-sa@returnpath.net
>
> describe RCVD_IN_RP_CERTIFIED Sender in ReturnPath Certified -
> Contact
> cert-sa@returnpath.net
>
> modified decriptions will show up with next sa-update.
>
> Axb
Great - we will get the aliases established right away.
I'll also begin workingnon the hardware request... ;)
Re: Anyone from ReturnPath want to deal with this
Posted by Axb <ax...@gmail.com>.
On 09/05/2012 11:28 PM, Tom Bartel wrote:
> A tad shorter?
>
> RCVD_IN_RP_CERTIFIED Return Path Certified - Contact:cert-sa@returnpath.net
> RCVD_IN_RP_SAFE Return Path Safe - Contact:safe-sa@returnpath.net
As per suggestions and KAM comments, committed:
describe RCVD_IN_RP_SAFE Sender in ReturnPath Safe - Contact
safe-sa@returnpath.net
describe RCVD_IN_RP_CERTIFIED Sender in ReturnPath Certified - Contact
cert-sa@returnpath.net
modified decriptions will show up with next sa-update.
Axb
Re: Anyone from ReturnPath want to deal with this
Posted by Axb <ax...@gmail.com>.
On 09/05/2012 11:28 PM, Tom Bartel wrote:
> If that is truly easier than the rule description changes, etc...
> mentioned here, then we can certainly take a look at it. We
> appreciate the consideration to make it easier for folks to contact
> us about our members.
To change the descriptions takes less than 5 min, but for once we may
not want to give it away so easily.
...in exchange SA will gladly accept RP's donation of a 4*12 core CPU
Intel box, 128GB Ram and 4 * 250GB Intel SSD to replace it's ancient Sun
masschecker box.
(exact specs will be delivered)
> A tad shorter?
>
RCVD_IN_RP_CERTIFIED Return Path Certified -
Contact:cert-sa@returnpath.net
RCVD_IN_RP_SAFE Return Path Safe - Contact:safe-sa@returnpath.net
Ya - make sense (I can live with that)
KAM: no need for a Wiki entry.
RE: Anyone from ReturnPath want to deal with this
Posted by Tom Bartel <to...@returnpath.net>.
> -----Original Message-----
> From: Axb [mailto:axb.lists@gmail.com]
> Sent: Wednesday, September 05, 2012 3:20 PM
> To: users@spamassassin.apache.org
> Subject: Re: Anyone from ReturnPath want to deal with this
>
> On 09/05/2012 11:07 PM, Kevin A. McGrail wrote:
>
> > describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified
> > (trusted relay) - Questions/Concerns/Abuse? cert-sa@returnpath.net
> > describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted
> relay)
> > - Questions/Concerns/Abuse? safe-sa@returnpath.net
> > describe RCVD_IN_RP_RNBL Relay in RNBL,
> > https://senderscore.org/blacklistlookup/
>
> and btw:
Hi Axb
>
> Why don't THEY add the headers instead of having SA give away cycles
> for something 99% don't ever use or see ?
By "THEY" do you mean us, Return Path or our Certified program member?
If by us, Return Path, I'd say we can't - we do not mechanically route the mail - we certify mailers practices and monitor minute-to-minute with wide scale reputation data (and pull from our list when don't conform).
We could add a requirement that THEY - our Certified program members - add it - but it would take a while - and I suspect it would be one of those challenges in general, across the many varied sending systems and level of knowledge users have of their sending systems.
If that is truly easier than the rule description changes, etc... mentioned here, then we can certainly take a look at it. We appreciate the consideration to make it easier for folks to contact us about our members.
>
> Now if SA devs think this is absolutely necessary (I don't):
>
> Must those descriptions be so long?
>
> RCVD_IN_RP_CERTIFIED Return Path Certified Sender -
> Contact:cert-sa@returnpath.net
>
> RCVD_IN_RP_SAFE Return Path Safe Sender - Contact:safe-
> sa@returnpath.net
>
> Would be less obtrussive and not break reports so badly
A tad shorter?
RCVD_IN_RP_CERTIFIED Return Path Certified - Contact:cert-sa@returnpath.net
RCVD_IN_RP_SAFE Return Path Safe - Contact:safe-sa@returnpath.net
Thx,
Tom
Re: Anyone from ReturnPath want to deal with this
Posted by Axb <ax...@gmail.com>.
On 09/05/2012 11:07 PM, Kevin A. McGrail wrote:
> describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified
> (trusted relay) - Questions/Concerns/Abuse? cert-sa@returnpath.net
> describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted relay)
> - Questions/Concerns/Abuse? safe-sa@returnpath.net
> describe RCVD_IN_RP_RNBL Relay in RNBL,
> https://senderscore.org/blacklistlookup/
and btw:
Why don't THEY add the headers instead of having SA give away cycles for
something 99% don't ever use or see ?
Now if SA devs think this is absolutely necessary (I don't):
Must those descriptions be so long?
RCVD_IN_RP_CERTIFIED Return Path Certified Sender -
Contact:cert-sa@returnpath.net
RCVD_IN_RP_SAFE Return Path Safe Sender - Contact:safe-sa@returnpath.net
Would be less obtrussive and not break reports so badly
Axb
Re: Anyone from ReturnPath want to deal with this
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Greg,
Saturday, September 8, 2012, 4:16:31 PM, you wrote:
GT> Some rules seem to have the description in iclude the IP address that
GT> was looked up in the whitelist/blacklist. Others don't, and it makes it
GT> a bit hard to guess (since trusted/etc. processing is slightly tricky).
GT> So I think it would be good if all dnsbl rules listed the IP address
GT> that hit.
How does one go about doing that?
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Anyone from ReturnPath want to deal with this
Posted by Greg Troxel <gd...@ir.bbn.com>.
In addition to having a complaint address in every whitelist rule (seems
like it should be general policy), there's another change I'd like to
suggest: clarity of which IP address hit the rule.
Some rules seem to have the description in iclude the IP address that
was looked up in the whitelist/blacklist. Others don't, and it makes it
a bit hard to guess (since trusted/etc. processing is slightly tricky).
So I think it would be good if all dnsbl rules listed the IP address
that hit.
Re: Anyone from ReturnPath want to deal with this
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
> John, I think your straight forward proposal looks good. These would work:
>
> X-Spam-Contact: RCVD_IN_RP_CERTIFIED cert-sa@returnpath.net
> X-Spam-Contact: RCVD_IN_RP_SAFE safe-sa@returnpath.net
>
> I can have these setup for our ticket system well in advance of any change.
>
> Is this a code change or what would be the process, level-of-effort, timing to do so?
Yes, this is a code-level change so this is a bit of a farther reaching
solution.
What I'm looking for is verbiage to add to existing rules for those who
do have Ham reporting enabled.
I think that is achieved with these edits for the first-two rules:
describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified
(trusted relay) - Questions/Concerns/Abuse? cert-sa@returnpath.net
describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted relay)
- Questions/Concerns/Abuse? safe-sa@returnpath.net
describe RCVD_IN_RP_RNBL Relay in RNBL,
https://senderscore.org/blacklistlookup/
regards,
KAM
RE: Anyone from ReturnPath want to deal with this
Posted by John Hardin <jh...@impsec.org>.
On Wed, 5 Sep 2012, Tom Bartel wrote:
>> Yeah, so the utility of this might be limited. I suggested it because
>> it's something that can be done without any code changes that will
>> benefit at least some users.
>>
>> There are lots of more-involved possibilities that we could explore
>> that involve code changes, for example perhaps a per-rule "contact"
>> value, and if a rule having a contact value hits, a header like this
>> could be
>> generated:
>>
>> X-Spam-Contact: RCVD_IN_RP_CERTIFIED cert-sa@returnpath.net
>>
>>> Can you recommend some exact verbiage on specific describe statements?
>>> Do we want a unique address as RP suggests?
>>
>> Me? No, those details would be up to RP. Tom?
>
> John, I think your straight forward proposal looks good. These would work:
>
> X-Spam-Contact: RCVD_IN_RP_CERTIFIED cert-sa@returnpath.net
> X-Spam-Contact: RCVD_IN_RP_SAFE safe-sa@returnpath.net
>
> I can have these setup for our ticket system well in advance of any change.
>
> Is this a code change or what would be the process, level-of-effort, timing to do so?
Adding contact email addresses to the rule descriptions is immediate
(well, as of the next rule update that's generated) and requires no code
changes.
I'll mention the X-Spam-Contact header idea on the devs list and see
whether there's interest.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws aren't enacted to control guns, they are enacted
to control people: catholics (1500s), japanese peasants (1600s),
blacks (1860s), italian immigrants (1911), the irish (1920s),
jews (1930s), blacks (1960s), the poor (always)
-----------------------------------------------------------------------
12 days until the 225th anniversary of the signing of the U.S. Constitution
RE: Anyone from ReturnPath want to deal with this
Posted by Tom Bartel <to...@returnpath.net>.
> -----Original Message-----
> From: John Hardin [mailto:jhardin@impsec.org]
> Sent: Wednesday, September 05, 2012 1:59 PM
> To: Kevin A. McGrail
> Cc: users@spamassassin.apache.org
> Subject: Re: Anyone from ReturnPath want to deal with this
>
> On Wed, 5 Sep 2012, Kevin A. McGrail wrote:
>
> > On 9/5/2012 2:02 PM, John Hardin wrote:
> >> On Wed, 5 Sep 2012, Kevin A. McGrail wrote:
> >>
> >> > On 9/5/2012 12:16 PM, Tom Bartel wrote:
> >> > >
> >> > > > From: John Hardin [mailto:jhardin@impsec.org]
> >> > > > > On Wed, 5 Sep 2012, Tom Bartel wrote:
> >> > > > > > Much appreciated Ned, thank you. Again, sorry for
> delayed
> >> > > > > > response. Any suggestions at any time, we're all ears.
> >> > > > >
> >> > > > > ...put the RP contact address into the RP rule description?
> >> > > > > Granted this won't help much if the brief rule hits report
> >> > > > > format is used for ham.
> >> > >
> >> > > If something like that is feasible, we could provide a unique
> >> > > address - e.g. cert-sa@returnpath.net
> >> >
> >> > To be clear, are we talking about adding something to these
> >> > description(s)?
> >> >
> >> > describe RCVD_IN_RP_CERTIFIED Sender is in Return Path
> Certified
> >> > (trusted relay)
> >> > describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted
> relay)
> >> > describe RCVD_IN_RP_RNBL Relay in RNBL,
> >> > https://senderscore.org/blacklistlookup/
> >>
> >> That's what I had in mind, yes. If the verbose hits format is
> >> enabled for ham, then you can look at the headers in a FN and see
> >> where to report it to RP.
> >
> > OK, it's better than nothing though I don't know the percentage of
> > people with Ham reporting is very high.
>
> Yeah, so the utility of this might be limited. I suggested it because
> it's something that can be done without any code changes that will
> benefit at least some users.
>
> There are lots of more-involved possibilities that we could explore
> that involve code changes, for example perhaps a per-rule "contact"
> value, and if a rule having a contact value hits, a header like this
> could be
> generated:
>
> X-Spam-Contact: RCVD_IN_RP_CERTIFIED cert-sa@returnpath.net
>
> > Can you recommend some exact verbiage on specific describe
> statements?
> > Do we want a unique address as RP suggests?
>
> Me? No, those details would be up to RP. Tom?
John, I think your straight forward proposal looks good. These would work:
X-Spam-Contact: RCVD_IN_RP_CERTIFIED cert-sa@returnpath.net
X-Spam-Contact: RCVD_IN_RP_SAFE safe-sa@returnpath.net
I can have these setup for our ticket system well in advance of any change.
Is this a code change or what would be the process, level-of-effort, timing to do so?
Re: Anyone from ReturnPath want to deal with this
Posted by John Hardin <jh...@impsec.org>.
On Wed, 5 Sep 2012, Kevin A. McGrail wrote:
> On 9/5/2012 2:02 PM, John Hardin wrote:
>> On Wed, 5 Sep 2012, Kevin A. McGrail wrote:
>>
>> > On 9/5/2012 12:16 PM, Tom Bartel wrote:
>> > >
>> > > > From: John Hardin [mailto:jhardin@impsec.org]
>> > > > > On Wed, 5 Sep 2012, Tom Bartel wrote:
>> > > > > > Much appreciated Ned, thank you. Again, sorry for delayed
>> > > > > > response. Any suggestions at any time, we're all ears.
>> > > > >
>> > > > > ...put the RP contact address into the RP rule description?
>> > > > > Granted this won't help much if the brief rule hits report
>> > > > > format is used for ham.
>> > >
>> > > If something like that is feasible, we could provide a unique
>> > > address - e.g. cert-sa@returnpath.net
>> >
>> > To be clear, are we talking about adding something to these
>> > description(s)?
>> >
>> > describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified
>> > (trusted relay)
>> > describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted relay)
>> > describe RCVD_IN_RP_RNBL Relay in RNBL,
>> > https://senderscore.org/blacklistlookup/
>>
>> That's what I had in mind, yes. If the verbose hits format is enabled for
>> ham, then you can look at the headers in a FN and see where to report it
>> to RP.
>
> OK, it's better than nothing though I don't know the percentage of people
> with Ham reporting is very high.
Yeah, so the utility of this might be limited. I suggested it because it's
something that can be done without any code changes that will benefit at
least some users.
There are lots of more-involved possibilities that we could explore that
involve code changes, for example perhaps a per-rule "contact" value, and
if a rule having a contact value hits, a header like this could be
generated:
X-Spam-Contact: RCVD_IN_RP_CERTIFIED cert-sa@returnpath.net
> Can you recommend some exact verbiage on specific describe statements?
> Do we want a unique address as RP suggests?
Me? No, those details would be up to RP. Tom?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Phobias should not be the basis for laws.
-----------------------------------------------------------------------
12 days until the 225th anniversary of the signing of the U.S. Constitution
Re: Anyone from ReturnPath want to deal with this
Posted by Matthias Leisi <ma...@leisi.net>.
On Wed, Sep 5, 2012 at 8:58 PM, Kevin A. McGrail <KM...@pccc.com> wrote:
> OK, it's better than nothing though I don't know the percentage of people
> with Ham reporting is very high. Can you recommend some exact verbiage on
>From experience with the dnswl.org request queue, I can tell you that
the number of requests out of SA's ham report header is not huge, but
noticeable - we get between 2 and 4 such requests per day (and that's
with people first having to go to the website, finding the request
form or the email address, ...), and that's the single biggest
category of requests besides actual listing requests.
-- Matthias
Re: Anyone from ReturnPath want to deal with this
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 9/5/2012 2:02 PM, John Hardin wrote:
> On Wed, 5 Sep 2012, Kevin A. McGrail wrote:
>
>> On 9/5/2012 12:16 PM, Tom Bartel wrote:
>>>
>>> > From: John Hardin [mailto:jhardin@impsec.org]
>>> > > On Wed, 5 Sep 2012, Tom Bartel wrote:
>>> > > > Much appreciated Ned, thank you. Again, sorry for delayed
>>> response.
>>> > > Any suggestions at any time, we're all ears.
>>> > > ...put the RP contact address into the RP rule description?
>>> Granted
>>> > this won't help much if the brief rule hits report format is used
>>> for
>>> > ham.
>>>
>>> If something like that is feasible, we could provide a unique
>>> address -
>>> e.g. cert-sa@returnpath.net
>>
>> To be clear, are we talking about adding something to these
>> description(s)?
>>
>> describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified
>> (trusted relay)
>> describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted relay)
>> describe RCVD_IN_RP_RNBL Relay in RNBL,
>> https://senderscore.org/blacklistlookup/
>
> That's what I had in mind, yes. If the verbose hits format is enabled
> for ham, then you can look at the headers in a FN and see where to
> report it to RP.
>
OK, it's better than nothing though I don't know the percentage of
people with Ham reporting is very high. Can you recommend some exact
verbiage on specific describe statements? Do we want a unique address
as RP suggests?
Regards,
KAM
Re: Anyone from ReturnPath want to deal with this
Posted by John Hardin <jh...@impsec.org>.
On Wed, 5 Sep 2012, Kevin A. McGrail wrote:
> On 9/5/2012 12:16 PM, Tom Bartel wrote:
>>
>> > From: John Hardin [mailto:jhardin@impsec.org]
>> >
>> > On Wed, 5 Sep 2012, Tom Bartel wrote:
>> >
>> > > Much appreciated Ned, thank you. Again, sorry for delayed response.
>> > > Any suggestions at any time, we're all ears.
>> >
>> > ...put the RP contact address into the RP rule description? Granted
>> > this won't help much if the brief rule hits report format is used for
>> > ham.
>>
>> If something like that is feasible, we could provide a unique address -
>> e.g. cert-sa@returnpath.net
>
> To be clear, are we talking about adding something to these description(s)?
>
> describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified (trusted relay)
> describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted relay)
> describe RCVD_IN_RP_RNBL Relay in RNBL, https://senderscore.org/blacklistlookup/
That's what I had in mind, yes. If the verbose hits format is enabled for
ham, then you can look at the headers in a FN and see where to report it
to RP.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
12 days until the 225th anniversary of the signing of the U.S. Constitution
Re: Anyone from ReturnPath want to deal with this
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 9/5/2012 12:16 PM, Tom Bartel wrote:
>
>> -----Original Message-----
>> From: John Hardin [mailto:jhardin@impsec.org]
>> Sent: Wednesday, September 05, 2012 10:13 AM
>> To: users@spamassassin.apache.org
>> Subject: RE: Anyone from ReturnPath want to deal with this
>>
>> On Wed, 5 Sep 2012, Tom Bartel wrote:
>>
>>> Much appreciated Ned, thank you. Again, sorry for delayed response.
>> Any suggestions at any time, we're all ears.
>>
>> ...put the RP contact address into the RP rule description? Granted
>> this won't help much if the brief rule hits report format is used for
>> ham.
> If something like that is feasible, we could provide a unique address - e.g. cert-sa@returnpath.net
To be clear, are we talking about adding something to these description(s)?
describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified
(trusted relay)
describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted relay)
describe RCVD_IN_RP_RNBL Relay in RNBL,
https://senderscore.org/blacklistlookup/
In general, adding an email address sounds like an ok idea since we
already have URLs. Why don't you suggest verbiage and I can word smith
things to see if we can commit.
regards,
KAM
RE: Anyone from ReturnPath want to deal with this
Posted by Tom Bartel <to...@returnpath.net>.
> -----Original Message-----
> From: John Hardin [mailto:jhardin@impsec.org]
> Sent: Wednesday, September 05, 2012 10:13 AM
> To: users@spamassassin.apache.org
> Subject: RE: Anyone from ReturnPath want to deal with this
>
> On Wed, 5 Sep 2012, Tom Bartel wrote:
>
> > Much appreciated Ned, thank you. Again, sorry for delayed response.
> Any suggestions at any time, we're all ears.
>
> ...put the RP contact address into the RP rule description? Granted
> this won't help much if the brief rule hits report format is used for
> ham.
If something like that is feasible, we could provide a unique address - e.g. cert-sa@returnpath.net
RE: Anyone from ReturnPath want to deal with this
Posted by John Hardin <jh...@impsec.org>.
On Wed, 5 Sep 2012, Tom Bartel wrote:
> Much appreciated Ned, thank you. Again, sorry for delayed response. Any suggestions at any time, we're all ears.
...put the RP contact address into the RP rule description? Granted this
won't help much if the brief rule hits report format is used for ham.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
-----------------------------------------------------------------------
12 days until the 225th anniversary of the signing of the U.S. Constitution
RE: Anyone from ReturnPath want to deal with this
Posted by Tom Bartel <to...@returnpath.net>.
> >
>
> Many thanks Tom - I'll also reply off list with a copy of the spam for
> you and your colleagues to follow up on.
>
> Regards,
>
> Ned
Much appreciated Ned, thank you. Again, sorry for delayed response. Any suggestions at any time, we're all ears.
Tom
Re: Anyone from ReturnPath want to deal with this
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 05/09/12 15:39, Tom Bartel wrote:
>
>
>> -----Original Message-----
>> From: Ned Slider [mailto:ned@unixmail.co.uk]
>> Sent: Wednesday, September 05, 2012 8:11 AM
>> To: users@spamassassin.apache.org
>> Subject: Re: Anyone from ReturnPath want to deal with this
>>
>> On 01/09/12 01:14, Ned Slider wrote:
>>> Hi list,
>>>
>>> Would anyone from ReturnPath care to take a look at the following:
>>>
>>> Received: from mail5.eventbrite.com (mail5.eventbrite.com
>>> [67.192.45.102])
>>>
>>> which just spammed a contact@ address scraped off website and has
>>> -5pts awarded by ReturnPath:
>>>
>>> RCVD_IN_RP_CERTIFIED=-3
>>> RCVD_IN_RP_SAFE=-2
>>>
>>> sent "from" miracle_murphy@hotmail.com
>>>
>>> Compromised server/account maybe??
>>>
>>> Happy to submit a fully unredacted sample off list. Not happy seeing
>>> spam sail through with -5pts from ReturnPath.
>>>
>>> Thanks.
>>>
>>>
>>
>> Bump...
>>
>> No one here from ReturnPath?
>>
>> I'm surprised ReturnPath is able to "certify" and declare "safe" IPs
>> from a netblock that doesn't even list an abuse contact.
>>
>> How is one supposed to report and follow up on blatant abuse?
>
> Hi Ned - I apologize for my delayed response - I saw this yesterday - but had to get subscribed and then figure out how to reply to a message that I could only see in the archive.
>
> I've copied in Margot Romary who heads up our Compliance and Security - she and her team handle these issues.
>
> I've also copied in Kelly Molloy who works in our ISP services group as she is typically on the lookout for issues like this so we don't miss them.
>
> In terms of abuse contact, I'm seeing information in the Network Whois record for this IP and block, though maybe I'm looking in the wrong place:
>
> http://centralops.net/co/DomainDossier.aspx?addr=67.192.45.102&dom_whois=true&dom_dns=true&net_whois=true
>
> Return Path does operate both abuse@returnpath.net and postmaster@returnpath.net. Any issue with a Certification member will get to our team. Our Support site http://returnpath.net/support/ specifically lists certification@returnpath.net as the destination for any issues such as this.
>
> Certified members should not be sending to scraped addresses as indicated. Eventbrite allows folks to setup events and upload associated addresses. Based on the reputation data we have for them (complaints, trap hits) across our network (some of that data summarized here https://www.senderscore.org/lookup.php?lookup=67.192.45.102), this does not appear to be a widespread problem - however we will of course reach out to them to investigate and ensure they identify the offending user and handle properly.
>
> Best,
>
> Tom
>
>
>
>
Many thanks Tom - I'll also reply off list with a copy of the spam for
you and your colleagues to follow up on.
Regards,
Ned
RE: Anyone from ReturnPath want to deal with this
Posted by Tom Bartel <to...@returnpath.net>.
> -----Original Message-----
> From: Ned Slider [mailto:ned@unixmail.co.uk]
> Sent: Wednesday, September 05, 2012 8:11 AM
> To: users@spamassassin.apache.org
> Subject: Re: Anyone from ReturnPath want to deal with this
>
> On 01/09/12 01:14, Ned Slider wrote:
> > Hi list,
> >
> > Would anyone from ReturnPath care to take a look at the following:
> >
> > Received: from mail5.eventbrite.com (mail5.eventbrite.com
> > [67.192.45.102])
> >
> > which just spammed a contact@ address scraped off website and has
> > -5pts awarded by ReturnPath:
> >
> > RCVD_IN_RP_CERTIFIED=-3
> > RCVD_IN_RP_SAFE=-2
> >
> > sent "from" miracle_murphy@hotmail.com
> >
> > Compromised server/account maybe??
> >
> > Happy to submit a fully unredacted sample off list. Not happy seeing
> > spam sail through with -5pts from ReturnPath.
> >
> > Thanks.
> >
> >
>
> Bump...
>
> No one here from ReturnPath?
>
> I'm surprised ReturnPath is able to "certify" and declare "safe" IPs
> from a netblock that doesn't even list an abuse contact.
>
> How is one supposed to report and follow up on blatant abuse?
Hi Ned - I apologize for my delayed response - I saw this yesterday - but had to get subscribed and then figure out how to reply to a message that I could only see in the archive.
I've copied in Margot Romary who heads up our Compliance and Security - she and her team handle these issues.
I've also copied in Kelly Molloy who works in our ISP services group as she is typically on the lookout for issues like this so we don't miss them.
In terms of abuse contact, I'm seeing information in the Network Whois record for this IP and block, though maybe I'm looking in the wrong place:
http://centralops.net/co/DomainDossier.aspx?addr=67.192.45.102&dom_whois=true&dom_dns=true&net_whois=true
Return Path does operate both abuse@returnpath.net and postmaster@returnpath.net. Any issue with a Certification member will get to our team. Our Support site http://returnpath.net/support/ specifically lists certification@returnpath.net as the destination for any issues such as this.
Certified members should not be sending to scraped addresses as indicated. Eventbrite allows folks to setup events and upload associated addresses. Based on the reputation data we have for them (complaints, trap hits) across our network (some of that data summarized here https://www.senderscore.org/lookup.php?lookup=67.192.45.102), this does not appear to be a widespread problem - however we will of course reach out to them to investigate and ensure they identify the offending user and handle properly.
Best,
Tom
Re: Anyone from ReturnPath want to deal with this
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 01/09/12 01:14, Ned Slider wrote:
> Hi list,
>
> Would anyone from ReturnPath care to take a look at the following:
>
> Received: from mail5.eventbrite.com (mail5.eventbrite.com [67.192.45.102])
>
> which just spammed a contact@ address scraped off website and has -5pts
> awarded by ReturnPath:
>
> RCVD_IN_RP_CERTIFIED=-3
> RCVD_IN_RP_SAFE=-2
>
> sent "from" miracle_murphy@hotmail.com
>
> Compromised server/account maybe??
>
> Happy to submit a fully unredacted sample off list. Not happy seeing
> spam sail through with -5pts from ReturnPath.
>
> Thanks.
>
>
Bump...
No one here from ReturnPath?
I'm surprised ReturnPath is able to "certify" and declare "safe" IPs
from a netblock that doesn't even list an abuse contact.
How is one supposed to report and follow up on blatant abuse?
Re: Anyone from ReturnPath want to deal with this
Posted by "corpus.defero" <co...@idnet.com>.
On Sat, 2012-09-01 at 01:14 +0100, Ned Slider wrote:
> Hi list,
>
> Would anyone from ReturnPath care to take a look at the following:
>
> Received: from mail5.eventbrite.com (mail5.eventbrite.com [67.192.45.102])
>
> which just spammed a contact@ address scraped off website and has -5pts
> awarded by ReturnPath:
>
> RCVD_IN_RP_CERTIFIED=-3
> RCVD_IN_RP_SAFE=-2
>
> sent "from" miracle_murphy@hotmail.com
>
> Compromised server/account maybe??
Nope, just the usual $$$ Return Path $$$ quality customer base :-)