Mailing List Archive

google as biggest botnet, no kidding
is others see spam from googleapis.com urls ?

its currently url skipped, but i unskipped it localy to see tracking of
it

i have maked my clamav reject html attachments from today
Re: google as biggest botnet, no kidding [ In reply to ]
The use of googleapis in spam is something we are seeing as well.  We
unskipped it a bit ago in KAM.cf

On 5/11/2020 7:12 PM, Benny Pedersen wrote:
>
> is others see spam from googleapis.com urls ?
>
> its currently url skipped, but i unskipped it localy to see tracking
> of it
>
> i have maked my clamav reject html attachments from today
>
>
--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: google as biggest botnet, no kidding [ In reply to ]
On 2020-05-12 01:30, Kevin A. McGrail wrote:
> The use of googleapis in spam is something we are seeing as well.  We
> unskipped it a bit ago in KAM.cf

good to know i am not alone on this

i begin to think of make my own rule scores for own rules, but i have
never learned how to make it work, still no stable corpus to build from,
and have no infrastructure yet to make it happend

what could be a dream is url repution based on valid dmarc senders,
something like how its done in rspamd

hope clamav dont let it pass to spamassassin anymore
RE: google as biggest botnet, no kidding [ In reply to ]
Nothing new, started with the amazon abuse cloud.

Just put something in your mta like this for sendmail

connect:compute-1.amazonaws.com ERROR: "Use your providers outgoing
(smtp) server"

Only recently I have noticed that they are changing reverse dns lookups
to their clients, with the obvious intent to bypass such blocking.

In order not to waste to much time on this, I have fail2ban that reports
abuse 6 million times on their website port the abuse.



-----Original Message-----
From: Benny Pedersen [mailto:me@junc.eu]
Sent: 12 May 2020 01:42
To: users@spamassassin.apache.org
Subject: Re: google as biggest botnet, no kidding

On 2020-05-12 01:30, Kevin A. McGrail wrote:
> The use of googleapis in spam is something we are seeing as well.? We
> unskipped it a bit ago in KAM.cf

good to know i am not alone on this

i begin to think of make my own rule scores for own rules, but i have
never learned how to make it work, still no stable corpus to build from,
and have no infrastructure yet to make it happend

what could be a dream is url repution based on valid dmarc senders,
something like how its done in rspamd

hope clamav dont let it pass to spamassassin anymore
Re: google as biggest botnet, no kidding [ In reply to ]
On 12/05/20 01:12, Benny Pedersen wrote:

>
> is others see spam from googleapis.com urls ?
>
> its currently url skipped, but i unskipped it localy to see tracking
> of it
>
> i have maked my clamav reject html attachments from today
>
>
Yes, we are seeing an awful lot of phishing sites hosted under
https://firebasestorage.googleapis.com

I'd say that 99% of them can be catched by a simple regex though, but I
don't know how common those firebasestorage URLs are in normal emails..
I personally have still to see a legit one.

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/
Re: google as biggest botnet, no kidding [ In reply to ]
On 2020-05-12 10:15, Riccardo Alfieri wrote:

> Yes, we are seeing an awful lot of phishing sites hosted under
> https://firebasestorage.googleapis.com

i got sample of this now

> I'd say that 99% of them can be catched by a simple regex though, but
> I don't know how common those firebasestorage URLs are in normal
> emails.. I personally have still to see a legit one.

same here, if i just got a dollor from list below pr ip i would be out
of bussiness

# abuse port 465 begin
41.40.64.0/19 as8452 #TE-AS TE-AS, EG
51.91.0.0/16 as16276 #OVH, FR
64.64.104.0/24 as12025 #IMDC-AS12025, US
77.40.62.0/24 as12389 #ROSTELECOM-AS, RU
78.128.113.0/24 as209160 #MITI2000, BG
80.82.65.0/24 as202425 #INT-NETWORK, SC
107.6.160.0/20 as32475 #SINGLEHOP-LLC, US
138.122.149.0/24 as264337 #NET COM INFORMATICA LTDA - ME, BR
162.243.128.0/19 as14061 #DIGITALOCEAN-ASN, US
164.68.112.0/23 as51167 #CONTABO, DE
185.232.28.0/22 as39556 #PINHOSTING-AS, EE
185.50.149.0/24 as202984 #TEAM-HOST AS, RU
197.248.128.0/18 as37061 #Safaricom, KE
# abuse port 465 end
# all ips begin
41.40.76.111
51.91.212.79
64.64.104.10
77.40.62.101
78.128.113.100
80.82.65.190
107.6.169.254
138.122.149.123
162.243.142.91
164.68.112.178
185.232.30.130
185.50.149.10
197.248.180.74
# all ips end
# abuse port 587 begin
41.40.64.0/19 as8452 #TE-AS TE-AS, EG
51.91.0.0/16 as16276 #OVH, FR
77.40.62.0/24 as12389 #ROSTELECOM-AS, RU
78.128.113.0/24 as209160 #MITI2000, BG
107.6.176.0/21 as32475 #SINGLEHOP-LLC, US
118.173.252.0/23 as23969 #TOT-NET TOT Public Company Limited, TH
138.122.149.0/24 as264337 #NET COM INFORMATICA LTDA - ME, BR
162.243.128.0/19 as14061 #DIGITALOCEAN-ASN, US
164.68.112.0/23 as51167 #CONTABO, DE
183.136.225.0/24 as58461 #CT-HANGZHOU-IDC No.288,Fu-chun Road, CN
185.50.149.0/24 as202984 #TEAM-HOST AS, RU
197.248.128.0/18 as37061 #Safaricom, KE
# abuse port 587 end
# all ips begin
41.40.76.111
51.91.247.125
77.40.62.101
78.128.113.100
107.6.183.229
118.173.253.110
138.122.149.123
162.243.139.113
164.68.112.178
183.136.225.45
185.50.149.10
197.248.180.74
# all ips end
# abuse port 993 begin
46.242.128.0/17 as12824 #HOMEPL-AS, PL
51.83.0.0/16 as16276 #OVH, FR
162.243.128.0/19 as14061 #DIGITALOCEAN-ASN, US
185.232.28.0/22 as39556 #PINHOSTING-AS, EE
# abuse port 993 end
# all ips begin
46.242.145.104
51.83.66.171
162.243.141.181
185.232.30.130
# all ips end

i have no custommers there, not planning to make one single one, port 25
is open for them if need of email me, note the above ips have not
acccess to custommer ports, i just make shorewall show logs of abused
ports that is not first accepted in iptables, no fail2ban neeeded
Re: google as biggest botnet, no kidding [ In reply to ]
Riccardo Alfieri <riccardo.alfieri@spamteq.com> writes:

> Yes, we are seeing an awful lot of phishing sites hosted under
> https://firebasestorage.googleapis.com
>
> I'd say that 99% of them can be catched by a simple regex though, but I
> don't know how common those firebasestorage URLs are in normal emails..
> I personally have still to see a legit one.

We receive a *huge* amount of phishing attempts from firebasestorage. My
regular routine is to wake up, and report these to google safebrowsing,
but it doesn't seem to have much of an effect.

There *are* occasional, like 1%, false positives... but something needs
to happen here.

--
micah
Re: google as biggest botnet, no kidding [ In reply to ]
>On Tuesday, May 12, 2020, 02:16:52 PM GMT+2, micah anderson <micah@riseup.net> wrote:
>We receive a *huge* amount of phishing attempts from firebasestorage. My
>regular routine is to wake up, and report these to google safebrowsing,
>but it doesn't seem to have much of an effect.
>There *are* occasional, like 1%, false positives... but something needs
>to happen here.

It is very "suspicious" that one nanosecond exactly after the phishing site appears in google, the URL appearsin Safebrowsing.. it is absolutelly inpossible for a human being to react that fast!  
Of course, only in the "paid" version os Safebrowsing... not in the free one... of course...
-------------Pedro.
Re: google as biggest botnet, no kidding [ In reply to ]
> >On Tuesday, May 12, 2020, 02:16:52 PM GMT+2, micah anderson <micah@riseup.net> wrote:
>>We receive a *huge* amount of phishing attempts from firebasestorage. My
>>regular routine is to wake up, and report these to google safebrowsing,
>>but it doesn't seem to have much of an effect.
>>There *are* occasional, like 1%, false positives... but something needs
>>to happen here.

On 13.05.20 05:00, Pedro David Marco wrote:
>It is very "suspicious" that one nanosecond exactly after the phishing site
> appears in google, the URL appearsin Safebrowsing.. it is absolutelly
> inpossible for a human being to react that fast!??

maybe there are some pieces of anti-malware SW that check websites

>Of course, only in the "paid" version os Safebrowsing... not in the free one... of course...

...and maybe they need to be payed for

>-------------Pedro.

maybe you should use the common format for signatures... line "-- " at the
begin and signature below.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Re: google as biggest botnet, no kidding [ In reply to ]
>On Wednesday, May 13, 2020, 10:27:15 AM GMT+2, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>maybe there are some pieces of anti-malware SW that check websites
.>..and maybe they need to be payed for

So they know those website are dangerous and even so they allow them???

>maybe you should use the common format for signatures... line "-- " at the begin and signature below.

ACK! Thanks.

--Pedro.
Re: google as biggest botnet, no kidding [ In reply to ]
PLEASE TAKE ME OFF OF THIS EMAIL LIST! I DONT KNOW WHY OR HOW I GOT ON THIS LIST! NO MATTER WHAT I DO I CANNOT STOP THESE EMAILS! PLEASE SOMEONE RRMOVE ME FROM ALL OF THESE EMAIL LISTS!

> On May 12, 2020, at 10:11 PM, Pedro David Marco <pedrod_marco@yahoo.com> wrote:
>
> ?
>
>
> >On Tuesday, May 12, 2020, 02:16:52 PM GMT+2, micah anderson <micah@riseup.net> wrote:
>
> >We receive a *huge* amount of phishing attempts from firebasestorage. My
> >regular routine is to wake up, and report these to google safebrowsing,
> >but it doesn't seem to have much of an effect.
> >There *are* occasional, like 1%, false positives... but something needs
> >to happen here.
>
> It is very "suspicious" that one nanosecond exactly after the phishing site appears in google, the URL appears
> in Safebrowsing.. it is absolutelly inpossible for a human being to react that fast!
>
> Of course, only in the "paid" version os Safebrowsing... not in the free one... of course...
>
> -------------
> Pedro.
>
>
>
Re: google as biggest botnet, no kidding [ In reply to ]
PLEASE TAKE ME OFF OF THIS EMAIL LIST! I DONT KNOW WHY OR HOW I GOT ON THIS LIST! NO MATTER WHAT I DO I CANNOT STOP THESE EMAILS! PLEASE SOMEONE RRMOVE ME FROM ALL OF THESE EMAIL LISTS!

> On May 12, 2020, at 10:11 PM, Pedro David Marco <pedrod_marco@yahoo.com> wrote:
>
> ?
>
>
> >On Tuesday, May 12, 2020, 02:16:52 PM GMT+2, micah anderson <micah@riseup.net> wrote:
>
> >We receive a *huge* amount of phishing attempts from firebasestorage. My
> >regular routine is to wake up, and report these to google safebrowsing,
> >but it doesn't seem to have much of an effect.
> >There *are* occasional, like 1%, false positives... but something needs
> >to happen here.
>
> It is very "suspicious" that one nanosecond exactly after the phishing site appears in google, the URL appears
> in Safebrowsing.. it is absolutelly inpossible for a human being to react that fast!
>
> Of course, only in the "paid" version os Safebrowsing... not in the free one... of course...
>
> -------------
> Pedro.
>
>
>
Re: google as biggest botnet, no kidding [ In reply to ]
On 2020-05-13 19:14, RALPH HAUSER wrote:
> PLEASE TAKE ME OFF OF THIS EMAIL LIST! I DONT KNOW WHY OR HOW I GOT ON
> THIS LIST! NO MATTER WHAT I DO I CANNOT STOP THESE EMAILS! PLEASE
> SOMEONE RRMOVE ME FROM ALL OF THESE EMAIL LISTS!

sure all on this list here can remove you

please do your own homework and write a email to
users-help@spamassassin.apache.org
Re: google as biggest botnet, no kidding [ In reply to ]
> >On Wednesday, May 13, 2020, 10:27:15 AM GMT+2, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
> >maybe there are some pieces of anti-malware SW that check websites
>.>..and maybe they need to be payed for

On 13.05.20 08:36, Pedro David Marco wrote:
>So they know those website are dangerous and even so they allow them???

apparently the list og dangerous websites and the websited themselver are
completely different issue.

>>maybe you should use the common format for signatures... line "-- " at the begin and signature below.
>
>ACK! Thanks.

"-- " contains one space at the end and has to be on separate line.

>--Pedro.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
Re: google as biggest botnet, no kidding [ In reply to ]
On 2020-05-14 08:43, Matus UHLAR - fantomas wrote:

>> ACK! Thanks.
>
> "-- " contains one space at the end and has to be on separate line.

no signature, no problem