You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kenneth Porter <sh...@sewingwitch.com> on 2018/02/18 20:06:10 UTC
Blacklist for reply-to?
Is there a blacklist for domains in the reply-to header?
I've noticed a lot of spam with no URL and mutating From but the reply-to
domain is always aliyun dot com. I want to add a site-wide blacklist for
that.
Re: Blacklist for reply-to?
Posted by Daniele Duca <du...@staff.spin.it>.
On 18/02/2018 21:06, Kenneth Porter wrote:
> Is there a blacklist for domains in the reply-to header?
>
> I've noticed a lot of spam with no URL and mutating From but the
> reply-to domain is always aliyun dot com. I want to add a site-wide
> blacklist for that.
If you are willing to write a little SA plugin and possibly mantain your
own dnsbl you can use something like this:
sub check_email_headers {
my ($self, $msg) = @_;
my %headers;
if (defined($msg->get( 'Reply-To:addr' ))) {
$headers{"Reply-To"} = $msg->get( 'Reply-To:addr' );
}
foreach my $header ( keys %headers) {
my @addresses = Email::Address->parse($headers{$header});
for my $address (@addresses) {
if (is_domain($address->host)) {
my $parser = Domain::PublicSuffix->new();
# domain is in $parser->get_root_domain($address->host) , you
can now look it up on your own dnsbl, Spamhaus DBL etc..
}
}
return 0;
}
I personally also check the domain in the body From, useful in example
to catch legit abused accounts that have the return-path set as the
abused account but the body From set differently.
Also, the "image editing" spam is almost all caught by the MSBL
(https://msbl.org/) , take a look at that bl and their plugin for more
inspiration
Daniele Duca
Re: Blacklist for reply-to?
Posted by Rupert Gallagher <ru...@protonmail.com>.
You are wrong.
Sent from ProtonMail Mobile
On Wed, Feb 21, 2018 at 00:07, @lbutlr <kr...@kreme.com> wrote:
> On 2018-02-20 (06:02 MST), Rupert Gallagher wrote: > > Do you have the legal right to do so? Absolutely. No one gets to inflict a contract on me. Especially not a entirely stupid nonsense thing that like that piece of crap that has no legal weight whatsoever. -- We are born naked, wet and hungry; then it's all downhill. @protonmail.com>
Re: Blacklist for reply-to?
Posted by "@lbutlr" <kr...@kreme.com>.
On 2018-02-20 (06:02 MST), Rupert Gallagher <ru...@protonmail.com> wrote:
>
> Do you have the legal right to do so?
Absolutely.
No one gets to inflict a contract on me. Especially not a entirely stupid nonsense thing that like that piece of crap that has no legal weight whatsoever.
--
We are born naked, wet and hungry; then it's all downhill.
Re: Blacklist for reply-to?
Posted by "@lbutlr" <kr...@kreme.com>.
On 2018-02-21 (00:20 MST), Rupert Gallagher <ru...@protonmail.com> wrote:
>
> Beware that companies use a legal note in their signature as advised by their lawyers, and many individuals do the same, to inform the reader about laws that apply regardless of where or when you are reading their note.
Mostly they lie about what their claimed rights are.
> A mail from Europe is subject to data protection. It does not matter if you disagree.
It does. I am not subject to European laws on data protection.
--
"There's sex and death and human grime in monochrome for one thin dime
and at least the trains all run on time but they don't go anywhere."
Re: Blacklist for reply-to?
Posted by Rupert Gallagher <ru...@protonmail.com>.
Beware that companies use a legal note in their signature as advised by their lawyers, and many individuals do the same, to inform the reader about laws that apply regardless of where or when you are reading their note.
A mail from Europe is subject to data protection. It does not matter if you disagree.
R
On Wed, Feb 21, 2018 at 00:01, Reindl Harald <h....@thelounge.net> wrote:
> bullshit any disclaimer at the end of the message you already read is useless to start with - and send a message to the public with a disclaimer you can only read after the other content you already have read is nothing but idiotic as well as using accounts which add such disclaimers for mailing lists period Am 20.02.2018 um 22:37 schrieb Rupert Gallagher: > The matter is controversial. Lists have own defaults, who often > abuse their original aim of mere forwarding, especially when they > redistribute from a long-term archive. On the other hand, people have > own default banners for all outgoing correspondence, some with explicit > reference to the applicable law and company policy. Sparks happen when > they meet. A list's standpoint may be: if you do not want to be > archived, then do not post. A person's standpoint may be > that a mailing list standing as official publication is ludicrous, > while individuals have a well established human right to freedom of > speach. There are so many twists here that only a seasoned lawyer may > have tell right from wrong. > > On Tue, Feb 20, 2018 at 14:55, Reindl Harald > wrote: >> Am 20.02.2018 um 14:02 schrieb Rupert Gallagher: > Do you have >> the legal right to do so? does the fool with the disclaimer have any >> legal right to define whatever terms when sending to a public >> mailing-list? > On Tue, Feb 20, 2018 at 00:23, @lbutlr > wrote: >> On >> 2018-02-19 (09:57 MST), Paul Stead wrote: > ... >> I reject your terms @thelounge.net> @thelounge.net>
Re: Blacklist for reply-to?
Posted by Rupert Gallagher <ru...@protonmail.com>.
The matter is controversial. Lists have own defaults, who often abuse their original aim of mere forwarding, especially when they redistribute from a long-term archive. On the other hand, people have own default banners for all outgoing correspondence, some with explicit reference to the applicable law and company policy. Sparks happen when they meet. A list's standpoint may be: if you do not want to be archived, then do not post. A person's standpoint may be that a mailing list standing as official publication is ludicrous, while individuals have a well established human right to freedom of speach. There are so many twists here that only a seasoned lawyer may have tell right from wrong.
Sent from ProtonMail Mobile
On Tue, Feb 20, 2018 at 14:55, Reindl Harald <h....@thelounge.net> wrote:
> Am 20.02.2018 um 14:02 schrieb Rupert Gallagher: > Do you have the legal right to do so? does the fool with the disclaimer have any legal right to define whatever terms when sending to a public mailing-list? > On Tue, Feb 20, 2018 at 00:23, @lbutlr > wrote: >> On 2018-02-19 (09:57 MST), Paul Stead wrote: > ... >> I reject your terms @kreme.com> @kreme.com>
Re: Blacklist for reply-to?
Posted by Rupert Gallagher <ru...@protonmail.com>.
Do you have the legal right to do so?
On Tue, Feb 20, 2018 at 00:23, @lbutlr <kr...@kreme.com> wrote:
> On 2018-02-19 (09:57 MST), Paul Stead wrote: > ...@zeninternet.co.uk>
> I reject your terms. @zeninternet.co.uk>
Re: Blacklist for reply-to?
Posted by "@lbutlr" <kr...@kreme.com>.
On 2018-02-19 (09:57 MST), Paul Stead <pa...@zeninternet.co.uk> wrote:
>
> This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
>
> Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service.
I reject your terms.
--
Rid yourself of doubt -- or should you? -George Carlin
Re: Blacklist for reply-to?
Posted by Paul Stead <pa...@zeninternet.co.uk>.
I have a BZ raised for reply-to blacklist checking:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354
On 19/02/2018, 15:05, "Kevin A. McGrail" <ke...@mcgrail.com> wrote:
On 2/18/2018 3:06 PM, Kenneth Porter wrote:
> Is there a blacklist for domains in the reply-to header?
>
> I've noticed a lot of spam with no URL and mutating From but the
> reply-to domain is always aliyun dot com. I want to add a site-wide
> blacklist for that.
To my knowledge it doesn't exist. I documented it as an idea for GSOC
at https://issues.apache.org/jira/browse/COMDEV-263
Regards,
KAM
--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk
Winner of 'Services Company of the Year' at the UK IT Industry Awards
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service.
Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
Re: Blacklist for reply-to?
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 2/18/2018 3:06 PM, Kenneth Porter wrote:
> Is there a blacklist for domains in the reply-to header?
>
> I've noticed a lot of spam with no URL and mutating From but the
> reply-to domain is always aliyun dot com. I want to add a site-wide
> blacklist for that.
To my knowledge it doesn't exist. I documented it as an idea for GSOC
at https://issues.apache.org/jira/browse/COMDEV-263
Regards,
KAM
Re: Blacklist for reply-to?
Posted by Benny Pedersen <me...@junc.eu>.
Kenneth Porter skrev den 2018-02-18 22:39:
> These emails are addressed to many of my web-page-only addresses that
> I've never used to sign up for anything. They're clearly unsolicited.
blacklist_to *@spamtrap.example.org in replyto
force bayes learn on user in blacklist
maybe use blacklist_from aswell, i cant remember if one or both is
needed
Re: Blacklist for reply-to?
Posted by Daniele Duca <du...@staff.spin.it>.
On 19/02/2018 10:00, Kenneth Porter wrote:
> I have no clue what Rupert is on about. I just want something like
> blacklist_from that uses the reply-to header. I thought it was a
> simple technical question about how the config file directives map
> onto the actual headers. I'm not asking for site policy.
>
Maybe something like this?
header REPLYTO_KILLER reply-to =~ /@domain\.that\.you\.want\.blacklisted/
score REPLYTO_KILLER 1000
Re: Blacklist for reply-to?
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 2/19/2018 7:15 PM, John Hardin wrote:
>
> Kevin, can that be set to advisory rather than completely killed?
Agreed. I'll comment out the setting of the score to zero in
nonKAMrules.cf.
Re: Blacklist for reply-to?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 19 Feb 2018, Alex wrote:
> Hi,
>
> On Mon, Feb 19, 2018 at 3:20 PM, John Hardin <jh...@impsec.org> wrote:
>> On Mon, 19 Feb 2018, Rupert Gallagher wrote:
>>
>>> Whatever you do, just do not ask others to blacklist Alibaba
>>
>>
>> Are those getting hits on SPOOFED_FREEM_REPTO_CHN?
>>
>> Perhaps just bump the score for that locally?
>
> KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating
> that rule for me. Perhaps he doesn't know the rule was removed or
> otherwise handled?
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561
>
> Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test
> SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero
> score
>
> Is there anything further that needs to be done wrt this rule, or does
> it now just work as expected?
>
> He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being
> affecting by FORGED_YAHOO_RCVD.
Kevin, can that be set to advisory rather than completely killed?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The question of whether people should be allowed to harm themselves
is simple. They *must*. -- Charles Murray
-----------------------------------------------------------------------
63 more days working to pay your (average) annual US tax bill
before you're finally working for yourself.
Re: Blacklist for reply-to?
Posted by Alex <my...@gmail.com>.
Hi,
On Mon, Feb 19, 2018 at 3:20 PM, John Hardin <jh...@impsec.org> wrote:
> On Mon, 19 Feb 2018, Rupert Gallagher wrote:
>
>> Whatever you do, just do not ask others to blacklist Alibaba
>
>
> Are those getting hits on SPOOFED_FREEM_REPTO_CHN?
>
> Perhaps just bump the score for that locally?
KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating
that rule for me. Perhaps he doesn't know the rule was removed or
otherwise handled?
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561
Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test
SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero
score
Is there anything further that needs to be done wrt this rule, or does
it now just work as expected?
He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being
affecting by FORGED_YAHOO_RCVD.
Re: Blacklist for reply-to?
Posted by Benny Pedersen <me...@junc.eu>.
David Jones skrev den 2018-02-19 22:35:
> https://bz.apache.org/SpamAssassin
>
> I have added a few domains over the past few months but my mail flow
> isn't going to see many of the problem domains outside of the US like
> those listed above.
https://www.google.dk/search?q=github+freemail
seems all is freemail ?
would adding more freemail domains give a better detection of spam ?
Re: Blacklist for reply-to?
Posted by David Jones <dj...@ena.com>.
On 02/19/2018 03:19 PM, John Hardin wrote:
> On Mon, 19 Feb 2018, Kenneth Porter wrote:
>
>> On 2/19/2018 12:20 PM, John Hardin wrote:
>>> Are those getting hits on SPOOFED_FREEM_REPTO_CHN?
>>
>> No, not seeing that one. After enough training I eventually see it
>> land in Bayes. The RBLs are starting to flag it.
>>
>> X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
>> FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1
>>
>> The subject and body are offering "image editing".
>
> I get *tons* of those.
>
> I'm wondering whether the freemail list is a bit stale, I'm seeing from
> addresses in .jp domains that look like they might be freemail...
>
> jmail.co.jp
> ezweb.ne.jp
>
> Are these freemail?
>
> o2online.de
> wanadoo.fr
>
>
The "freemail" domains also include domains that are commonly abused
according to 20_freemail_domains.cf. Anyone wanting to get some domains
added should open up a SpamAssassin Bugzilla:
https://bz.apache.org/SpamAssassin
I have added a few domains over the past few months but my mail flow
isn't going to see many of the problem domains outside of the US like
those listed above.
--
David Jones
Re: Blacklist for reply-to?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 19 Feb 2018, Kenneth Porter wrote:
> On 2/19/2018 12:20 PM, John Hardin wrote:
>> Are those getting hits on SPOOFED_FREEM_REPTO_CHN?
>
> No, not seeing that one. After enough training I eventually see it land in
> Bayes. The RBLs are starting to flag it.
>
> X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
> FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1
>
> The subject and body are offering "image editing".
I get *tons* of those.
I'm wondering whether the freemail list is a bit stale, I'm seeing from
addresses in .jp domains that look like they might be freemail...
jmail.co.jp
ezweb.ne.jp
Are these freemail?
o2online.de
wanadoo.fr
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People think they're trading chaos for order [by ceding more and
more power to the Government], but they're just trading normal
human evil for the really dangerous organized kind of evil, the
kind that simply does not give a shit. Only bureaucrats can give
you true evil. -- Larry Correia
-----------------------------------------------------------------------
3 days until George Washington's 286th Birthday
Re: Blacklist for reply-to?
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On 2/19/2018 12:20 PM, John Hardin wrote:
> Are those getting hits on SPOOFED_FREEM_REPTO_CHN?
No, not seeing that one. After enough training I eventually see it land
in Bayes. The RBLs are starting to flag it.
X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1
The subject and body are offering "image editing". The From is forged.
But the Reply-to is consistent.
Re: Blacklist for reply-to?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 19 Feb 2018, Rupert Gallagher wrote:
> Whatever you do, just do not ask others to blacklist Alibaba
Are those getting hits on SPOOFED_FREEM_REPTO_CHN?
Perhaps just bump the score for that locally?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...much of our country's counterterrorism security spending is not
designed to protect us from the terrorists, but instead to protect
our public officials from criticism when another attack occurs.
-- Bruce Schneier
-----------------------------------------------------------------------
3 days until George Washington's 286th Birthday
Re: Blacklist for reply-to?
Posted by Rupert Gallagher <ru...@protonmail.com>.
I wanted you to see your proposed solution from a different point of view, and I thought the quiz was spot on. As a number of you fell into the trap head first, I am now horrified. Whatever you do, just do not ask others to blacklist Alibaba, and do not blacklist yourself.
Sent from ProtonMail Mobile
On Mon, Feb 19, 2018 at 10:00, Kenneth Porter <sh...@sewingwitch.com> wrote:
> On 2/18/2018 5:09 PM, Antony Stone wrote:
>
>> On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:
>>
>>> Question time! You receive spam with a reply-to your own address. What do
>>> you do?
>>
>> I take it that this is now a rather different question that the one you
>> originally asked in this thread, where the reply-to address was clearly not
>> your own?
>
> I have no clue what Rupert is on about. I just want something like blacklist_from that uses the reply-to header. I thought it was a simple technical question about how the config file directives map onto the actual headers. I'm not asking for site policy.
Re: Blacklist for reply-to?
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On 2/18/2018 5:09 PM, Antony Stone wrote:
> On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:
>
>> Question time! You receive spam with a reply-to your own address. What do
>> you do?
> I take it that this is now a rather different question that the one you
> originally asked in this thread, where the reply-to address was clearly not
> your own?
>
I have no clue what Rupert is on about. I just want something like
blacklist_from that uses the reply-to header. I thought it was a simple
technical question about how the config file directives map onto the
actual headers. I'm not asking for site policy.
Re: Blacklist for reply-to?
Posted by Rupert Gallagher <ru...@protonmail.com>.
You need coffee...
Sent from ProtonMail Mobile
On Mon, Feb 19, 2018 at 02:09, Antony Stone <An...@spamassassin.open.source.it> wrote:
> On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: > Question time! You receive spam with a reply-to your own address. What do > you do? I take it that this is now a rather different question that the one you originally asked in this thread, where the reply-to address was clearly not your own? > A: you blacklist your own address Is there any reason why inbound mail should have your own address (and, by the way, do you mean address, or domain?) as the reply-to? For some people yes, for others, no. Your experience may not be standard. > B: you ask around to do A for you I'm not sure what that means. > C: you ask for advice Good idea; let's see what other replies you get. Antony. -- "I estimate there's a world market for about five computers." - Thomas J Watson, Chairman of IBM Please reply to the list; please *don't* CC me.
Re: Blacklist for reply-to?
Posted by Benny Pedersen <me...@junc.eu>.
Antony Stone skrev den 2018-02-19 02:09:
>> C: you ask for advice
> Good idea; let's see what other replies you get.
i hate mondays :=)
Re: Blacklist for reply-to?
Posted by Antony Stone <An...@spamassassin.open.source.it>.
On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:
> Question time! You receive spam with a reply-to your own address. What do
> you do?
I take it that this is now a rather different question that the one you
originally asked in this thread, where the reply-to address was clearly not
your own?
> A: you blacklist your own address
Is there any reason why inbound mail should have your own address (and, by the
way, do you mean address, or domain?) as the reply-to?
For some people yes, for others, no. Your experience may not be standard.
> B: you ask around to do A for you
I'm not sure what that means.
> C: you ask for advice
Good idea; let's see what other replies you get.
Antony.
--
"I estimate there's a world market for about five computers."
- Thomas J Watson, Chairman of IBM
Please reply to the list;
please *don't* CC me.
Re: Blacklist for reply-to?
Posted by Rupert Gallagher <ru...@protonmail.com>.
Question time! You receive spam with a reply-to your own address. What do you do?
A: you blacklist your own address
B: you ask around to do A for you
C: you ask for advice
Sent from ProtonMail Mobile
On Sun, Feb 18, 2018 at 22:39, Kenneth Porter <sh...@sewingwitch.com> wrote:
> --On Sunday, February 18, 2018 4:21 PM -0500 Rupert Gallagher wrote: > It is not spam. You get it if you have an account with alibaba. Just > configure it. These emails are addressed to many of my web-page-only addresses that I've never used to sign up for anything. They're clearly unsolicited. @protonmail.com>
Re: Blacklist for reply-to?
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Sunday, February 18, 2018 4:21 PM -0500 Rupert Gallagher
<ru...@protonmail.com> wrote:
> It is not spam. You get it if you have an account with alibaba. Just
> configure it.
These emails are addressed to many of my web-page-only addresses that I've
never used to sign up for anything. They're clearly unsolicited.
Re: Blacklist for reply-to?
Posted by Rupert Gallagher <ru...@protonmail.com>.
It is not spam. You get it if you have an account with alibaba. Just configure it.
Sent from ProtonMail Mobile
On Sun, Feb 18, 2018 at 21:06, Kenneth Porter <sh...@sewingwitch.com> wrote:
> Is there a blacklist for domains in the reply-to header? I've noticed a lot of spam with no URL and mutating From but the reply-to domain is always aliyun dot com. I want to add a site-wide blacklist for that.
Re: Blacklist for reply-to?
Posted by Rob McEwen <ro...@invaluement.com>.
On 2/18/2018 3:06 PM, Kenneth Porter wrote:
> Is there a blacklist for domains in the reply-to header?
> I've noticed a lot of spam with no URL and mutating From but the
> reply-to domain is always aliyun dot com. I want to add a site-wide
> blacklist for that.
http://msbl.org
(I'm not associated with this. Also, it is very high quality and
well-run! It should at least make a noticeable improvement, even if it
doesn't catch all of them.)
--
Rob McEwen
https://www.invaluement.com