https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8211
Bug ID: 8211
Summary: pccc.com HASHBL
Product: Spamassassin
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: spamassassin
Assignee: dev@spamassassin.apache.org
Reporter: threadmark@hotmail.com
Target Milestone: Undefined
Created attachment 5934
--> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5934&action=edit
pccc.com mcgrail config
This may have been a legitimate service from pccc.com but its not responding to
anything sent like an rbl should. Looking at the DNS logs this is sending out
every email address and phone number scanned by SA, and sending as a dns query
eg " md5hash.wild.pccc.com" the phone numbers are sent as plain text. I have
looked at the documentation and this service is supposed to reply like any rbl.
The fact that pccc.com rbl seems dead, and the ns is still live, this is
indicative of data exfiltration. The md5 hash converting the dns query is a
legitimate SA function, but pccc.com is receiving only?. Every email address
and phone number, in an email scanned by SA with these rules enabled, its being
captured by the ns.pccc.com name server.
--
You are receiving this mail because:
You are the assignee for the bug.
Bug ID: 8211
Summary: pccc.com HASHBL
Product: Spamassassin
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: spamassassin
Assignee: dev@spamassassin.apache.org
Reporter: threadmark@hotmail.com
Target Milestone: Undefined
Created attachment 5934
--> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5934&action=edit
pccc.com mcgrail config
This may have been a legitimate service from pccc.com but its not responding to
anything sent like an rbl should. Looking at the DNS logs this is sending out
every email address and phone number scanned by SA, and sending as a dns query
eg " md5hash.wild.pccc.com" the phone numbers are sent as plain text. I have
looked at the documentation and this service is supposed to reply like any rbl.
The fact that pccc.com rbl seems dead, and the ns is still live, this is
indicative of data exfiltration. The md5 hash converting the dns query is a
legitimate SA function, but pccc.com is receiving only?. Every email address
and phone number, in an email scanned by SA with these rules enabled, its being
captured by the ns.pccc.com name server.
--
You are receiving this mail because:
You are the assignee for the bug.