On 2023-10-12 at 10:24:11 UTC-0400 (Thu, 12 Oct 2023 10:24:11 -0400)
Ricky Boone <ricky.boone@gmail.com>
is rumored to have said:
> Thank you. It was my mistake initially, as I was under the impression
> that submitting unsolicited samples wasn't preferred, and was just
> intending to raise awareness for others in case they see anything
> similar.
Often one of us who has access to robust mail streams can find adequate
evidence on our own. In this case the volume seems to have been rather
low.
>
> Attached is evidence with redactions. Again, my apologies if the
> original email came across as it may have, and also for the delay in
> reporting (I was alerted to this yesterday afternoon).
No problem. Your analysis of the issue as a compromised SendGrid account
appears to be right, which breaks the basis for having them in the
default welcomelist.
Change committed:
# svn diff -r r1910021:r1912921 60_welcomelist_auth.cf
Index: 60_welcomelist_auth.cf
===================================================================
--- 60_welcomelist_auth.cf (revision 1910021)
+++ 60_welcomelist_auth.cf (revision 1912921)
@@ -546,7 +546,6 @@
def_welcomelist_auth *@*.directgeneral.com
def_welcomelist_auth *@*.subaru.com
def_welcomelist_auth *@*.aexp.com
-def_welcomelist_auth *@*.usssa.com
def_welcomelist_auth *@*.bestwesternrewards.com
def_welcomelist_auth *@*.email-weightwatchers.com
def_welcomelist_auth *@*.email-allstate.com
@@ -1523,7 +1522,6 @@
def_whitelist_auth *@*.directgeneral.com
def_whitelist_auth *@*.subaru.com
def_whitelist_auth *@*.aexp.com
-def_whitelist_auth *@*.usssa.com
def_whitelist_auth *@*.bestwesternrewards.com
def_whitelist_auth *@*.email-weightwatchers.com
def_whitelist_auth *@*.email-allstate.com
>
> On Thu, Oct 12, 2023 at 8:48?AM Bill Cole
> <sausers-20150205@billmail.scconsult.com> wrote:
>>
>> On 2023-10-11 at 22:02:22 UTC-0400 (Wed, 11 Oct 2023 22:02:22 -0400)
>> Ricky Boone <ricky.boone@gmail.com>
>> is rumored to have said:
>>
>>> My apologies.
>>>
>>> The samples that I have contain email addresses that I am not at
>>> liberty to share without redacting. If it's okay that there are
>>> certain strings that are removed, I should be able to make them
>>> available. Is there a preferred method for getting this to you?
>>
>> Attached to a message here or to a bug report in the SA project
>> Bugzilla: https://bz.apache.org/SpamAssassin/
>>
>> Ideally, just redact the local part of user addresses. Nothing else
>> is
>> really sensitive in spam, and facts like domains and IP addresses
>> help
>> validate spam analysis. For example, we wouldn't want to de-list a
>> domain which appears to be forged into spam.
>>
>> The point of having a minimally-redacted message as an openly visible
>> example for removing a def_welcomelist entry is to make sure that we
>> aren't open to being used for mischief and can justify the removal
>> later
>> if asked to. The bar for removal is very low (being listed is a
>> privilege, not a right) but it can't be simply 'someone said...'
>>
>>
>>
>>
>>> On Wed, Oct 11, 2023 at 9:25?PM Bill Cole
>>> <sausers-20150205@billmail.scconsult.com> wrote:
>>>>
>>>> On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15
>>>> -0400)
>>>> Ricky Boone <ricky.boone@gmail.com>
>>>> is rumored to have said:
>>>>
>>>>> Just a heads up, it appears that usssa[.]com has had their
>>>>> SendGrid
>>>>> email sending account popped, and a bad actor has been sending
>>>>> phishing emails from it. The domain is defined in
>>>>> 60_welcomelist_auth.cf with
>>>>> def_welcomelist_auth/def_whitelist_auth
>>>>> entries with *@*.usssa.com.
>>>>
>>>> If anyone has a shareable sample spam to substantiate this, that
>>>> would
>>>> be helpful.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
