Scanning Mailing-List Posts (was: Re: SA and Spear Phishing)

[Karsten Bräckelmann <gu...@rudersport.de>]

On Fri, 2011-03-18 at 20:25 -0700, jdow wrote:
> Interesting: (I think you have bigger problems than mere spear-phishing.

> >   1.6 RCVD_IN_NJABL_PROXY    RBL: NJABL: sender is an open proxy
> >                              [64p79p213p206 listed in combined.njabl.org]
> >   0.8 RCVD_IN_SORBS_SOCKS    RBL: SORBS: sender is open SOCKS proxy server
> >                              [64p79p213p206 listed in dnsbl.sorbs.net]

While that's interesting indeed (and refers to the original sender's IP
address) -- even though I hate to fork yet another sub-thread...

I strongly advise against scanning list mail. Definitely with lists like
this one, where discussing spam is the norm, and samples are, though
frowned upon, to be expected.

This list currently is operated on a rather strict subscribe policy.
Posts by non-subscribers will not be allowed through, to  (a) prevent
accidental leaking of an address, even in case of a reply, and  (b) to
ensure the sender actually receives replies.

Spam to this list *sigh* is either filtered out already by a list server
side SA, or manually by the moderators. Believe me, I am one of them...


> >   0.6 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)

Well, at least on the direct copies, I got an SPF_PASS instead.


> I am told I am rather "direct" for a woman. Just color me old, tired,
> and Irish (easily irritated.)

The first I knew, Joanne. ;)  The last one is news to me.

> Directness is easier than complex circumlocution, which I am getting
> too old for. It seems to make as many fans as enemies. {^_-}

I've been told, Germans are commonly attributed to be rather direct,
too. ;)


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Scanning Mailing-List Posts

[jdow <jd...@earthlink.net>]

On 2011/03/18 21:05, Karsten Bräckelmann wrote:
> On Fri, 2011-03-18 at 20:25 -0700, jdow wrote:
>> Interesting: (I think you have bigger problems than mere spear-phishing.
>
>>>    1.6 RCVD_IN_NJABL_PROXY    RBL: NJABL: sender is an open proxy
>>>                               [64p79p213p206 listed in combined.njabl.org]
>>>    0.8 RCVD_IN_SORBS_SOCKS    RBL: SORBS: sender is open SOCKS proxy server
>>>                               [64p79p213p206 listed in dnsbl.sorbs.net]
>
> While that's interesting indeed (and refers to the original sender's IP
> address) -- even though I hate to fork yet another sub-thread...
>
> I strongly advise against scanning list mail. Definitely with lists like
> this one, where discussing spam is the norm, and samples are, though
> frowned upon, to be expected.

Karsten, I assure you I don't. That was the copy he sent to me
straight rather than through SA. I bypass checking at the procmail
level on the setup here for spamassassin groups and a couple other
things.

(I go fairly far back with this stuff. Usually I simply scan for
interesting subjects. I saw this discussion take off and flare so
I stuck my nose in. I'm playing hooky from real work.)

{^_-}