Mailing List Archive

The most efficient SPAM implementation ever
Hello all:

I have been a very satisfied user of spamassassin for a long time. Now I
am facing a challenge, a problem that I cannot resolve.

Years ago I was an active participant in the SolidWorks forum:

https://forum.solidworks.com

Unfortunately, there is a group there who when don't approve of a thread
their response is to send you a barrage of e-mails, some sort of DOS
attack. I have received thousands of those, during several years.

I dutifully have those messages processed by sa-learn, but it is clear
that they are immune to spamassassin. Instead of going up, their score
goes down.

I tried another approach (suggested by some of you folks): block the
sender by sendmail, as seen below. Such defensive strategy was helpful
for a couple years but now the spam has come back with a vengeance.
Currently, my last line of defense is the only one that recognizes that
stealth spam: the Thunderbird mail client.

Please help.

TIA,

-Ramon F. Herrera

ps: I do not have samples right now but will collect some and post them.
Re: The most efficient SPAM implementation ever [ In reply to ]
On 10 Oct 2020, at 10:52, Ramon F Herrera wrote:

> Hello all:
>
> I have been a very satisfied user of spamassassin for a long time. Now
> I am facing a challenge, a problem that I cannot resolve.
>
> Years ago I was an active participant in the SolidWorks forum:
>
> https://forum.solidworks.com
>
> Unfortunately, there is a group there who when don't approve of a
> thread their response is to send you a barrage of e-mails, some sort
> of DOS attack. I have received thousands of those, during several
> years.
>
> I dutifully have those messages processed by sa-learn, but it is clear
> that they are immune to spamassassin. Instead of going up, their score
> goes down.
>
> I tried another approach (suggested by some of you folks): block the
> sender by sendmail, as seen below. Such defensive strategy was helpful
> for a couple years but now the spam has come back with a vengeance.
> Currently, my last line of defense is the only one that recognizes
> that stealth spam: the Thunderbird mail client.
>
> Please help.

Without actual samples of the spam, there's nothing anyone else can do
to help figure out why SA isn't catching it and how it might get caught.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
RE: The most efficient SPAM implementation ever [ In reply to ]
Very unclear problem description. First of al if you mark spam the
sender knows it is being received (and does not even know the message
has been marked). Thus the best way to treat spam, is rejecting it.

So without any other info. Start rejecting messages instead of accepting
them.

Start posting those (relevant) message headers ;)



-----Original Message-----
To: users@spamassassin.apache.org
Subject: The most efficient SPAM implementation ever

Hello all:

I have been a very satisfied user of spamassassin for a long time. Now I
am facing a challenge, a problem that I cannot resolve.

Years ago I was an active participant in the SolidWorks forum:

https://forum.solidworks.com

Unfortunately, there is a group there who when don't approve of a thread
their response is to send you a barrage of e-mails, some sort of DOS
attack. I have received thousands of those, during several years.

I dutifully have those messages processed by sa-learn, but it is clear
that they are immune to spamassassin. Instead of going up, their score
goes down.

I tried another approach (suggested by some of you folks): block the
sender by sendmail, as seen below. Such defensive strategy was helpful
for a couple years but now the spam has come back with a vengeance.
Currently, my last line of defense is the only one that recognizes that
stealth spam: the Thunderbird mail client.


Please help.


TIA,

-Ramon F. Herrera


ps: I do not have samples right now but will collect some and post them.
Re: The most efficient SPAM implementation ever [ In reply to ]
These forum messages probably have a common URL in them.

Use something like:
blacklist_uri_host solidworks.com
to score the common URL.

h2h

On 10/10/20 4:52 PM, Ramon F Herrera wrote:
> Hello all:
>
> I have been a very satisfied user of spamassassin for a long time. Now I
> am facing a challenge, a problem that I cannot resolve.
>
> Years ago I was an active participant in the SolidWorks forum:
>
> https://forum.solidworks.com
>
> Unfortunately, there is a group there who when don't approve of a thread
> their response is to send you a barrage of e-mails, some sort of DOS
> attack. I have received thousands of those, during several years.
>
> I dutifully have those messages processed by sa-learn, but it is clear
> that they are immune to spamassassin. Instead of going up, their score
> goes down.
>
> I tried another approach (suggested by some of you folks): block the
> sender by sendmail, as seen below. Such defensive strategy was helpful
> for a couple years but now the spam has come back with a vengeance.
> Currently, my last line of defense is the only one that recognizes that
> stealth spam: the Thunderbird mail client.
>
> Please help.
>
> TIA,
>
> -Ramon F. Herrera
>
> ps: I do not have samples right now but will collect some and post them.
>
>
>
Re: The most efficient SPAM implementation ever [ In reply to ]
Hello Marc:

I guess you are confused by my message and I am confused by yours. Allow
me to clarify.

I have 3 lines of defense and the 2 main ones have failed. The SPAM
messages are undetected. You tell me that the best way is to treat spam
is to reject it but all my attempts to detect this particular instance,
let alone reject it have been unsuccessful.

*Line of Defense No. 1:*
The sendmail 'access' file seen below. For over a year only one
statement was sufficient, as you can see now I have 11 and they all fail.

*Line of Defense No. 2:*
Spamassassin. It have submitted over a thousand messages as follows:

% sa-learn --spam --mbox Mail/Junk

Unfortunately, that command has never been able to increase the score of
the messages.


*Line of Defense No. 3:*
My Thunderbird e-mail client. Only one that works. After I marked one
message as SPAM, all are dutifully placed into my ~/Mail/Junk folder.

I placed some cases here:

http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM
http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM.mbox (both
files are the same)

Thanks!

-Ramon

On 10/10/2020 4:15 PM, Marc Roos wrote:
>
> Very unclear problem description. First of al if you mark spam the
> sender knows it is being received (and does not even know the message
> has been marked). Thus the best way to treat spam, is rejecting it.
>
> So without any other info. Start rejecting messages instead of accepting
> them.
>
> Start posting those (relevant) message headers ;)
>
>
>
> -----Original Message-----
> To:users@spamassassin.apache.org
> Subject: The most efficient SPAM implementation ever
>
> Hello all:
>
> I have been a very satisfied user of spamassassin for a long time. Now I
> am facing a challenge, a problem that I cannot resolve.
>
> Years ago I was an active participant in the SolidWorks forum:
>
> https://forum.solidworks.com
>
> Unfortunately, there is a group there who when don't approve of a thread
> their response is to send you a barrage of e-mails, some sort of DOS
> attack. I have received thousands of those, during several years.
>
> I dutifully have those messages processed by sa-learn, but it is clear
> that they are immune to spamassassin. Instead of going up, their score
> goes down.
>
> I tried another approach (suggested by some of you folks): block the
> sender by sendmail, as seen below. Such defensive strategy was helpful
> for a couple years but now the spam has come back with a vengeance.
> Currently, my last line of defense is the only one that recognizes that
> stealth spam: the Thunderbird mail client.
>
>
> Please help.
>
>
> TIA,
>
> -Ramon F. Herrera
>
>
> ps: I do not have samples right now but will collect some and post them.
>
>
>
>
>
Re: The most efficient SPAM implementation ever [ In reply to ]
There you go, Bill:

http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM
http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM.mbox (both
files are hardlinked)

Yesterday I was upset and removed all the offending messages. I will add
more as soon as they arrive.

Thanks!

-Ramon

On 10/10/2020 11:49 AM, Bill Cole wrote:
> On 10 Oct 2020, at 10:52, Ramon F Herrera wrote:
>
>> Hello all:
>>
>> I have been a very satisfied user of spamassassin for a long time.
>> Now I am facing a challenge, a problem that I cannot resolve.
>>
>> Years ago I was an active participant in the SolidWorks forum:
>>
>> https://forum.solidworks.com
>>
>> Unfortunately, there is a group there who when don't approve of a
>> thread their response is to send you a barrage of e-mails, some sort
>> of DOS attack. I have received thousands of those, during several years.
>>
>> I dutifully have those messages processed by sa-learn, but it is
>> clear that they are immune to spamassassin. Instead of going up,
>> their score goes down.
>>
>> I tried another approach (suggested by some of you folks): block the
>> sender by sendmail, as seen below. Such defensive strategy was
>> helpful for a couple years but now the spam has come back with a
>> vengeance. Currently, my last line of defense is the only one that
>> recognizes that stealth spam: the Thunderbird mail client.
>>
>> Please help.
>
> Without actual samples of the spam, there's nothing anyone else can do
> to help figure out why SA isn't catching it and how it might get caught.
>
Re: The most efficient SPAM implementation ever [ In reply to ]
As for the two ones shown on the first link, ... reject MFROM
"@u18101436.wl187.sendgrid.net", and/or any MFROM starting with
"bounces+18101436-"?

Blocking the shared SendGrid servers (e.g. with PTR's ending in
".sendgrid.net") could also help.

You could also have look at all of your mails, trying to catch how much
you actually see of "good" traffic from SendGrid, and depending on the
result, block them completely.

But it all depends on how far you are willing to go. :)

--
Med venlig hilsen / Kind regards,
Arne Jensen

Den 11-10-2020 kl. 16:03 skrev Ramon F Herrera:
>
> Hello Marc:
>
> I guess you are confused by my message and I am confused by yours.
> Allow me to clarify.
>
> I have 3 lines of defense and the 2 main ones have failed. The SPAM
> messages are undetected. You tell me that the best way is to treat
> spam is to reject it but all my attempts to detect this particular
> instance, let alone reject it have been unsuccessful.
>
> *Line of Defense No. 1:*
> The sendmail 'access' file seen below. For over a year only one
> statement was sufficient, as you can see now I have 11 and they all fail.
>
> *Line of Defense No. 2:*
> Spamassassin. It have submitted over a thousand messages as follows:
>
> % sa-learn --spam --mbox Mail/Junk
>
> Unfortunately, that command has never been able to increase the score
> of the messages.
>
>
> *Line of Defense No. 3:*
> My Thunderbird e-mail client. Only one that works. After I marked one
> message as SPAM, all are dutifully placed into my ~/Mail/Junk folder.
>
> I placed some cases here:
>
> http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM
> http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM.mbox   (both
> files are the same)
>
> Thanks!
>
> -Ramon
>
> On 10/10/2020 4:15 PM, Marc Roos wrote:
>>
>> Very unclear problem description. First of al if you mark spam the
>> sender knows it is being received (and does not even know the message
>> has been marked). Thus the best way to treat spam, is rejecting it.
>>
>> So without any other info. Start rejecting messages instead of accepting
>> them.
>>
>> Start posting those (relevant) message headers ;)
>>
>>
>>
>> -----Original Message-----
>> To: users@spamassassin.apache.org
>> Subject: The most efficient SPAM implementation ever
>>
>> Hello all:
>>
>> I have been a very satisfied user of spamassassin for a long time. Now I
>> am facing a challenge, a problem that I cannot resolve.
>>
>> Years ago I was an active participant in the SolidWorks forum:
>>
>> https://forum.solidworks.com
>>
>> Unfortunately, there is a group there who when don't approve of a thread
>> their response is to send you a barrage of e-mails, some sort of DOS
>> attack. I have received thousands of those, during several years.
>>
>> I dutifully have those messages processed by sa-learn, but it is clear
>> that they are immune to spamassassin. Instead of going up, their score
>> goes down.
>>
>> I tried another approach (suggested by some of you folks): block the
>> sender by sendmail, as seen below. Such defensive strategy was helpful
>> for a couple years but now the spam has come back with a vengeance.
>> Currently, my last line of defense is the only one that recognizes that
>> stealth spam: the Thunderbird mail client.
>>
>>
>> Please help.
>>
>>
>> TIA,
>>
>> -Ramon F. Herrera
>>
>>
>> ps: I do not have samples right now but will collect some and post them.
>>
>>
>>
>>
>>
Re: The most efficient SPAM implementation ever [ In reply to ]
Hi,

Are you running sa-learn as the same user that spamd runs as ?

Running sa-learn as root won't help the scores.


Regards,

Rick


On 2020-10-11 10:03 a.m., Ramon F Herrera wrote:
>
> *Line of Defense No. 2:*
> Spamassassin. It have submitted over a thousand messages as follows:
>
> % sa-learn --spam --mbox Mail/Junk
>
> Unfortunately, that command has never been able to increase the score
> of the messages.
>
>

--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Re: The most efficient SPAM implementation ever [ In reply to ]
Good point.

spamd runs as root and sa-learn runs as 'ramon'.

That scheme has worked perfectly well for years, except for that
particular spam.

Thanks!

-Ramon

On 10/11/2020 9:28 AM, Rick Macdougall wrote:
> Hi,
>
> Are you running sa-learn as the same user that spamd runs as ?
>
> Running sa-learn as root won't help the scores.
>
>
> Regards,
>
> Rick
>
>
> On 2020-10-11 10:03 a.m., Ramon F Herrera wrote:
>>
>> *Line of Defense No. 2:*
>> Spamassassin. It have submitted over a thousand messages as follows:
>>
>> % sa-learn --spam --mbox Mail/Junk
>>
>> Unfortunately, that command has never been able to increase the score
>> of the messages.
>>
>>
>
Re: The most efficient SPAM implementation ever [ In reply to ]
On Sunday 11 October 2020 at 16:28:12, Rick Macdougall wrote:

> Hi,
>
> Are you running sa-learn as the same user that spamd runs as ?
>
> Running sa-learn as root won't help the scores.

I've been aware of this advice / requirement almost since I started using SA.

However, I've never been quite sure of:

1. If you run it as the wrong user, does the data get stored in the wrong
place, or is it simply lost?

2. If it's stored in the wrong place, is there any way of transferring or
merging it back in to where it should be instead?


Thanks,


Antony.

--
https://tools.ietf.org/html/rfc6890 - providing 16 million IPv4 addresses for
talking to yourself.

Please reply to the list;
please *don't* CC me.
RE: The most efficient SPAM implementation ever [ In reply to ]
>
>
>I guess you are confused by my message and I am confused by yours.
Allow me to clarify.

Oops, did not notice jpg attachment. Better to post just text.

>I have 3 lines of defense and the 2 main ones have failed. The SPAM
messages are
> undetected. You tell me that the best way is to treat spam is to
reject it but
> all my attempts to detect this particular instance, let alone reject
it have
> been unsuccessful.

Yes these are not correct (anymore? I guess their infrastructure
changed?)

[@ files]$ dig +short jiveon.jivesoftware.com
sendgrid.net.
167.89.123.54
167.89.115.56
[@ files]$ dig +short -x 167.89.123.54
o16789123x54.outbound-mail.sendgrid.net.

The specific range of sendgrid looks like this[1]. So now you know they
use sendgrid and probably have access to a 'limited' dynamic ip range.

Now you can decide to reject email coming from (the whole of) sendgrid.
I have created an email address and ip white list. So if someone
legitimate complains. I can allow that specific email address or ip to
go through.

If sendgrid is getting smarter in the future you will have problems
blocking just on sendgrid.net. Mailgun already switched to something
like this[2]. Some spammers even change their reverse lookup just
before sending.

Then you have to fall back on eg. ip blacklisting. I am currently
thinking about doing an asn lookup. As you can see these return
the same id for different reverse configured ips of mailgun.

[@ ~]# dig +short -t txt 40.151.61.209.origin.asn.cymru.com
"33070 | 209.61.128.0/19 | US | arin | 2000-06-05"
[@ ~]# dig +short -t txt 41.151.61.209.origin.asn.cymru.com
"33070 | 209.61.128.0/19 | US | arin | 2000-06-05"
[@ ~]# dig +short -t txt 42.151.61.209.origin.asn.cymru.com
"33070 | 209.61.128.0/19 | US | arin | 2000-06-05"
[@ ~]# dig +short -t txt 43.151.61.209.origin.asn.cymru.com

Maybe also forget about the access map and switch to something like
mailfromd. I think you can even reject the message with it after
you analyzed the whole message body.


>Line of Defense No. 1:
>The sendmail 'access' file seen below. For over a year only one
statement was
> sufficient, as you can see now I have 11 and they all fail.

Things change (fast)

>
>Line of Defense No. 2:
>Spamassassin. It have submitted over a thousand messages as follows:
>
>% sa-learn --spam --mbox Mail/Junk
>
>Unfortunately, that command has never been able to increase the score
> of the messages.
>

[1]
67.89.123.6 o16789123x6.outbound-mail.sendgrid.net.
167.89.123.7 o16789123x7.outbound-mail.sendgrid.net.
167.89.123.8 o16789123x8.outbound-mail.sendgrid.net.
167.89.123.9 o16789123x9.outbound-mail.sendgrid.net.
167.89.123.10 o16789123x10.outbound-mail.sendgrid.net.
167.89.123.11 o16789123x11.outbound-mail.sendgrid.net.
167.89.123.12 o16789123x12.outbound-mail.sendgrid.net.
167.89.123.13 o16789123x13.outbound-mail.sendgrid.net.
167.89.123.14 o16789123x14.outbound-mail.sendgrid.net.
167.89.123.15 o16789123x15.outbound-mail.sendgrid.net.
167.89.123.16 o16789123x16.outbound-mail.sendgrid.net.
167.89.123.17 o16789123x17.outbound-mail.sendgrid.net.
167.89.123.18 o16789123x18.outbound-mail.sendgrid.net.
167.89.123.19 o16789123x19.outbound-mail.sendgrid.net.
167.89.123.20 o16789123x20.outbound-mail.sendgrid.net.
167.89.123.21 o16789123x21.outbound-mail.sendgrid.net.
167.89.123.22 o16789123x22.outbound-mail.sendgrid.net.
167.89.123.23 o16789123x23.outbound-mail.sendgrid.net.
167.89.123.24 o16789123x24.outbound-mail.sendgrid.net.
167.89.123.25 o16789123x25.outbound-mail.sendgrid.net.
167.89.123.26 o16789123x26.outbound-mail.sendgrid.net.
167.89.123.27 o16789123x27.outbound-mail.sendgrid.net.
167.89.123.28 o16789123x28.outbound-mail.sendgrid.net.
167.89.123.29 o16789123x29.outbound-mail.sendgrid.net.
167.89.123.30 o16789123x30.outbound-mail.sendgrid.net.
167.89.123.31 o16789123x31.outbound-mail.sendgrid.net.
167.89.123.32 o16789123x32.outbound-mail.sendgrid.net.
167.89.123.33 o16789123x33.outbound-mail.sendgrid.net.
167.89.123.34 o16789123x34.outbound-mail.sendgrid.net.
167.89.123.35 o16789123x35.outbound-mail.sendgrid.net.
167.89.123.36 o16789123x36.outbound-mail.sendgrid.net.
167.89.123.37 o16789123x37.outbound-mail.sendgrid.net.
...

167.89.123.245 o16789123x245.outbound-mail.sendgrid.net.
167.89.123.246 o16789123x246.outbound-mail.sendgrid.net.
167.89.123.247 o16789123x247.outbound-mail.sendgrid.net.
167.89.123.248 o16789123x248.outbound-mail.sendgrid.net.
167.89.123.249 o16789123x249.outbound-mail.sendgrid.net.
167.89.123.250 o16789123x250.outbound-mail.sendgrid.net.
167.89.123.251 o16789123x251.outbound-mail.sendgrid.net.
167.89.123.252 o16789123x252.outbound-mail.sendgrid.net.
167.89.123.253 o16789123x253.outbound-mail.sendgrid.net.
167.89.123.254 o16789123x254.outbound-mail.sendgrid.net.
167.89.123.255 o16789123x255.outbound-mail.sendgrid.net.

[2]
209.61.151.28 rs28.mailgun.us.
209.61.151.29 rs29.mailgun.us.
209.61.151.30 rs30.mailgun.us.
209.61.151.31 rs31.mailgun.us.
209.61.151.32 rs32.mailgun.us.
209.61.151.33 rs33.mailgun.us.
209.61.151.34 rs34.mailgun.us.
209.61.151.35 rs35.mailgun.us.
209.61.151.36 rs36.mailgun.us.
209.61.151.37 rs37.mailgun.us.
209.61.151.38 rs38.mailgun.us.
209.61.151.39 rs39.mailgun.us.
209.61.151.40 mail-151.40.greenhouse.io.
209.61.151.41 rs41.hire.lever.co.
209.61.151.42 rs42.mailgun.us.
209.61.151.43 rs43.mailgun.us.
209.61.151.44 rs44.mailgun.us.
209.61.151.45 mailgun10.discogs.com.
209.61.151.46 rs46.mailgun.us.
209.61.151.47 rs47.mailgun.us.
209.61.151.48 mailgun.skydreams.com.
209.61.151.49 rs49.mailgun.us.
209.61.151.50 rs50.mailgun.us.
209.61.151.51 rs51.mailgun.us.
209.61.151.52 rs52.mailgun.us.
209.61.151.53 rs53.mailgun.us.
209.61.151.54 rs54.mailgun.us.
209.61.151.55 rs55.mailgun.us.
209.61.151.56 rs56.mailgun.us.
209.61.151.57 rs57.mailgun.us.
209.61.151.58 rs58.mailgun.us.
209.61.151.59 rs59.mailgun.us.
Re: The most efficient SPAM implementation ever [ In reply to ]
On 10/11/2020 10:07 AM, Marc Roos wrote:

>
> o16789123x54.outbound-mail.sendgrid.net.
>
> The specific range of sendgrid looks like this[1]. So now you know they
> use sendgrid and probably have access to a 'limited' dynamic ip range.
>
> Now you can decide to reject email coming from (the whole of) sendgrid.


I am the one who is a client of sendgrid. Before subscribing to their
service (with low volume it is free) many of my messages were rejected.
They provide legitimacy. Highly recommended:

https://sendgrid.com/

Thanks!

-Ramon
RE: The most efficient SPAM implementation ever [ In reply to ]
> I am the one who is a client of sendgrid. Before subscribing to their
service (with low volume it is free)
> many of my messages were rejected. They provide legitimacy.

So the problem here is actually that a spammer whines about being
spammed? :D But this does confirm my idea that one should just blanket
blacklist these networks, because they mostly harbour clients that were
blocked and have no where else to go any more.

I do not recommend using sendgrid. Going there with your legitimate
services is like having your products manufactured by forced child
labour which is maybe legal in that part of the world, but it is still
something you do not want to be associated with.
Re: The most efficient SPAM implementation ever [ In reply to ]
Hello,

On Sun, Oct 11, 2020 at 10:20:32AM -0500, Ramon F Herrera wrote:
> On 10/11/2020 10:07 AM, Marc Roos wrote:
> >Now you can decide to reject email coming from (the whole of) sendgrid.
>
> I am the one who is a client of sendgrid.

Are you aware that you've posted this to a list where it is an
ongoing topic of discussion for the last year or so how to block the
torrent of spam and phishing from SendGrid without blocking the
legitimate email?

> They provide legitimacy. Highly recommended

From my point of view I'd prefer if people didn't use SendGrid as
then it would become more feasible to block them entirely. They
currently "provide legitimacy" only on the basis of them being "too
big to block"; I am not sure if that is something to be encouraged
by throwing them more business.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting
Re: The most efficient SPAM implementation ever [ In reply to ]
Antony Stone skrev den 2020-10-11 16:52:

>> Are you running sa-learn as the same user that spamd runs as ?
>> Running sa-learn as root won't help the scores.

unless root trains global Bayes username

> I've been aware of this advice / requirement almost since I started
> using SA.

most users do it incorrect still :=)

> However, I've never been quite sure of:
>
> 1. If you run it as the wrong user, does the data get stored in the
> wrong
> place, or is it simply lost?

its stored in a incorrect database/user, its not simply lost

> 2. If it's stored in the wrong place, is there any way of transferring
> or
> merging it back in to where it should be instead?

there is no Norton commander for spamassassin yet, but this can be
solved if some do the code in Perl
Re: The most efficient SPAM implementation ever [ In reply to ]
Ramon F Herrera skrev den 2020-10-11 17:20:

> I am the one who is a client of sendgrid. Before subscribing to their
> service (with low volume it is free) many of my messages were
> rejected. They provide legitimacy. Highly recommended:
>
> https://sendgrid.com/

and following this threads here your sendgrid IP would be blacklists,
since no one knows you don't share this IP with otters in sendgrid, that
say's i have never being in need of any forwards at all, why ?

they break dkim, does not do proper openarc sealing, does not respect
dmarc, and listen to users that believe forwards should support SPF, all
that mess is working without forwarding emails but not so well with
forward

spamassassin is a well done maillist where SPF, dkim, arc, dmarc is
working as it should, only thing is missing is that amavisd missing arc
verify / arc signing, it should not be dkim signing on forwarded emails
at all

many mailman installations is asking mailman to solve more, but all they
needed to do is to stop breaking dkim, and do arc sealing

you should not use sendgrid IMHO, read more on why on this maillist here
or SDLU
Re: The most efficient SPAM implementation ever [ In reply to ]
On Sun, 11 Oct 2020 16:52:09 +0200
Antony Stone wrote:


> 2. If it's stored in the wrong place, is there any way of
> transferring or merging it back in to where it should be instead?

If you dump both databases using 'sa-learn --backup' it's
straightforward to conflate the two ascii files into one using a bit of
script. You can then use --restore.

The only problem is that if the same message has been trained
differently in the two databases there will no good way to handle that.
Any retraining on such messages wont be correct - at least not all of
the time.
Re: The most efficient SPAM implementation ever [ In reply to ]
On 11 Oct 2020, at 10:32, Ramon F Herrera wrote:

> Good point.
>
> spamd runs as root and sa-learn runs as 'ramon'.
>
> That scheme has worked perfectly well for years, except for that
> particular spam.

That CAN work as long as you have spamd set up correctly for per-user
Bayes. If it has worked before, we can assume that it could/should be
working now and there's something special about this spam that's
overriding the Bayes score.

Can you provide the results of a SA scan of the messages on your machine
with the SA "report" that has the rule hits and their scores? It could
be something specific to your SA config that is hampering this.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: The most efficient SPAM implementation ever [ In reply to ]
On 11 Oct 2020, at 10:09, Ramon F Herrera wrote:

> There you go, Bill:
>
> http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM
> http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM.mbox (both
> files are hardlinked)

OK, so there's 3 things that occur to me:

1. It looks like those are not spam per se, but rather the result of the
forum software thinking that you want to get messages via email from a
thread or sub-forum which is used as a dumping ground for garbage. Since
your account there seems to still exist, I would expect that you should
be able to log in and turn off that subscription. Note that this is
based in ~5 minutes of looking around the site so maybe I misunderstand
it. Obviously this is the cleanest approach, as it would stop the mail
at the source.

2. The envelope sender on all of those messages is identical:

bounces+18101436-032c-ramon=jfknumbers.org@u18101436.wl187.sendgrid.net

This appears to be unique to that thread of messages, so you should be
able to block that in your Sendmail AccessDB and be done with it.

3. For a SpamAssassin solution, you may get better results from the
block/allowlist mechanism than from Bayes. To block the sending
addresses of all mail in a mailbox, you can run:

spamassassin --add-to-blacklist --mbox < mailbox.name


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: The most efficient SPAM implementation ever [ In reply to ]
On Sun, 11 Oct 2020, Ramon F Herrera wrote:

> There you go, Bill:
>
> http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM
> http://www.forcewise.com/~ramon/sysadmin/SolidWorks-SPAM.mbox (both files are
> hardlinked)

Those don't particularly look like revenge spamming; they look more like
notifications of posts to an off-topic humor thread or, less likely, the
Solidworks forum being spammed (which apparently has happened before, I
saw some mention of that when doing a little research when you first
posted your question).

Have you tried reporting this to the admins of the Solidworks forum?

Are you still an active participant in the forum? If not, perhaps just
delete your account there to stop receiving notifications of forum
postings.

Your account may have email notification options, like "don't email me
notifications", or "only mail me notifications for threads I have posted
on." The latter may actually be what is happening here, if you happened to
post a "can we knock off with this nonsense" type of comment to that
thread and you're assuming what you're now getting is revenge spamming for
doing that. The forum software may potentially offer the ability to
subscribe to / unsubscribe from notifications for posts to specific forum
threads; see if you can do that.

This doesn't look particularly abusive or spammy to me, just
legitimate notifications of posts to an OT thread (which, yes, is
annoying, but not abuse). If anything this looks to me more like an issue
for the Solidworks forum administrators to address, not SA.

Blocking *all* mail from Solidworks for this seems an overreaction to me.

But, that said, you could blcok them by telling Sendmail to reject mail
that is from
bounces+18101436-032c-ramon=jfknumbers.org@u18101436.wl187.sendgrid.net
that should be consistent for all messages sent to you from Solidworks via
Sendgrid.


> Thanks!
>
> -Ramon
>
> On 10/10/2020 11:49 AM, Bill Cole wrote:
>> On 10 Oct 2020, at 10:52, Ramon F Herrera wrote:
>>
>>> Hello all:
>>>
>>> I have been a very satisfied user of spamassassin for a long time. Now I
>>> am facing a challenge, a problem that I cannot resolve.
>>>
>>> Years ago I was an active participant in the SolidWorks forum:
>>>
>>> https://forum.solidworks.com
>>>
>>> Unfortunately, there is a group there who when don't approve of a thread
>>> their response is to send you a barrage of e-mails, some sort of DOS
>>> attack. I have received thousands of those, during several years.
>>>
>>> I dutifully have those messages processed by sa-learn, but it is clear
>>> that they are immune to spamassassin. Instead of going up, their score
>>> goes down.
>>>
>>> I tried another approach (suggested by some of you folks): block the
>>> sender by sendmail, as seen below. Such defensive strategy was helpful for
>>> a couple years but now the spam has come back with a vengeance. Currently,
>>> my last line of defense is the only one that recognizes that stealth spam:
>>> the Thunderbird mail client.
>>>
>>> Please help.
>>
>> Without actual samples of the spam, there's nothing anyone else can do to
>> help figure out why SA isn't catching it and how it might get caught.
>>
>

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men, it has been well said, think in herds; it will be seen that
they go mad in herds, while they only recover their senses slowly,
and one by one. -- Charles MacKay, 1852
-----------------------------------------------------------------------
23 days until the Presidential Election
Re: The most efficient SPAM implementation ever [ In reply to ]
Hi Marc,

I'll bite.

You seem to have forgotten something fundamental in the spamming world
and statistics in general:

*False negatives and false positives.*

Plus the important role played by certifying organizations: ISO, local
Chambers of Commerce, Better Business Bureau, Medical and Law State
Boards, etc., etc., etc., etc.

https://tinyurl.com/y37u3pnd
https://tinyurl.com/y5ku4kh8
https://tinyurl.com/yx9jzoyy

As many of you, I have several e-mail addresses. Some, like the one
above, is accepted everywhere. However, the one that is being spammed,
for some reason (that I do not care to investigate) was inconsistently
being rejected.

So, I had two options:

  (a) Start a crusade to I convince the whole world that the addresses
in question are legitimate.

  (b) I use a service that does that for me.

At this point the topic belongs in a forum of SendGrid users.

Thanks!

-Ramon

https://sendgrid.com/

On 10/11/2020 10:55 AM, Marc Roos wrote:
>> I am the one who is a client of sendgrid. Before subscribing to their
> service (with low volume it is free)
>> many of my messages were rejected. They provide legitimacy.
> So the problem here is actually that a spammer whines about being
> spammed? :D But this does confirm my idea that one should just blanket
> blacklist these networks, because they mostly harbour clients that were
> blocked and have no where else to go any more.
>
> I do not recommend using sendgrid. Going there with your legitimate
> services is like having your products manufactured by forced child
> labour which is maybe legal in that part of the world, but it is still
> something you do not want to be associated with.
Re: The most efficient SPAM implementation ever [ In reply to ]
On 10/11/2020 1:21 PM, Bill Cole wrote:

> On 11 Oct 2020, at 10:32, Ramon F Herrera wrote:
>
>> Good point.
>>
>> spamd runs as root and sa-learn runs as 'ramon'.
>>
>> That scheme has worked perfectly well for years, except for that
>> particular spam.
>
> That CAN work as long as you have spamd set up correctly for per-user
> Bayes. If it has worked before, we can assume that it could/should be
> working now and there's something special about this spam that's
> overriding the Bayes score.
>
> Can you provide the results of a SA scan of the messages on your
> machine with the SA "report" that has the rule hits and their scores?
> It could be something specific to your SA config that is hampering this.
>

I apologize for being such a newbie, but this is the only command that I
know and use.

% sa-learn --spam --mbox somemailbox

My configuration is "out of the box".

Can you please tell me how to generate that report?

Thanks!

-Ramon
Re: The most efficient SPAM implementation ever [ In reply to ]
> Can you please tell me how to generate that report?

I believe he is asking for the results of something like

spamassassin -t <bad_msg

This would require extracting one of the annoying messages from your mbox to a separate file you can feed into SA. You can also feed SA an mbox file, but we only want the report (which will be the last output from the command) for a single message.

The part of interest is at the bottom of the output and will look something like

Content analysis details: (28.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4932]
1.1 INVALID_DATE Invalid Date: header (not RFC 2822)
1.0 RELAY_IS_203 No description available.

This can go on for many lines.

Loren
Re: The most efficient SPAM implementation ever [ In reply to ]
On 12 Oct 2020, at 10:30, Ramon F Herrera wrote:

> On 10/11/2020 1:21 PM, Bill Cole wrote:
>
>> On 11 Oct 2020, at 10:32, Ramon F Herrera wrote:
>>
>>> Good point.
>>>
>>> spamd runs as root and sa-learn runs as 'ramon'.
>>>
>>> That scheme has worked perfectly well for years, except for that
>>> particular spam.
>>
>> That CAN work as long as you have spamd set up correctly for per-user
>> Bayes. If it has worked before, we can assume that it could/should be
>> working now and there's something special about this spam that's
>> overriding the Bayes score.
>>
>> Can you provide the results of a SA scan of the messages on your
>> machine with the SA "report" that has the rule hits and their scores?
>> It could be something specific to your SA config that is hampering
>> this.
>>
>
> I apologize for being such a newbie, but this is the only command that
> I know and use.
>
> % sa-learn --spam --mbox somemailbox
>
> My configuration is "out of the box".
>
> Can you please tell me how to generate that report?

spamassassin -t --mbox somemailbox


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: The most efficient SPAM implementation ever [ In reply to ]
I would like to thank all for helping and educating me.

After following your advice and investigating deeper, I have found two
important items. One relates to sendmail, and the other to spamassassin.

(1) My first line of defense is the access.db sendmail file. It turns
out that the only header that is actually inspected is the top line,
which begins with "From " (envelop sender). Therefore, of all the rules
that I have attempted, only No. 13 works (thanks, Bill Cole!).

Part (2) in my next message.

-Ramon F. Herrera

1 2  View All