Mailing List Archive: SpamAssassin: users

Re: [SPAM:6.0] Spam coming from hotmail.

Index | Next | Previous | View Threaded

richard at buzzhost

Nov 9, 2009, 5:47 AM

Post #1 of 8 (781 views)
Permalink

Re: [SPAM:6.0] Spam coming from hotmail.

On Mon, 2009-11-09 at 07:56 -0500, Casartello, Thomas wrote:
> I’ve been getting a lot of non-scoring spam coming from hotmail over
> the last couple weeks. It’s one user that’s been complaining about it.
>
> Here’s a few samples:
{serious ascii murder commited}

I could not stop laughing at this given the context...

>
> ______________________________________________________________________
> Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign
> up now.

tcasartello at wsc

Nov 9, 2009, 6:20 AM

Post #2 of 8 (735 views)
Permalink

RE: [SPAM:6.0] Spam coming from hotmail. [In reply to]

Yeah I should have attached those instead of copying and pasting the Outlook crap. Was pretty stupid, my apologies.

Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State College

Red Hat Certified Technician (RHCT)

-----Original Message-----
From: richard [at] buzzhost [mailto:richard [at] buzzhost]
Sent: Monday, November 09, 2009 8:47 AM
Cc: Spamassassin Mailing List
Subject: Re: [SPAM:6.0] Spam coming from hotmail.

On Mon, 2009-11-09 at 07:56 -0500, Casartello, Thomas wrote:
> I’ve been getting a lot of non-scoring spam coming from hotmail over
> the last couple weeks. It’s one user that’s been complaining about it.
>
> Here’s a few samples:
{serious ascii murder commited}

I could not stop laughing at this given the context...

>
> ______________________________________________________________________
> Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign
> up now.

Attachments:

smime.p7s (4.09 KB)

tcasartello at wsc

Nov 9, 2009, 6:24 AM

Post #3 of 8 (732 views)
Permalink

RE: [SPAM:6.0] Spam coming from hotmail. [In reply to]

Here are two of the messages in a more proper form. Again I apologize for the earlier message.

Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State College

Red Hat Certified Technician (RHCT)

-----Original Message-----
From: Casartello, Thomas
Sent: Monday, November 09, 2009 9:20 AM
To: 'richard [at] buzzhost'
Cc: Spamassassin Mailing List
Subject: RE: [SPAM:6.0] Spam coming from hotmail.

Yeah I should have attached those instead of copying and pasting the Outlook crap. Was pretty stupid, my apologies.

Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State College

Red Hat Certified Technician (RHCT)

-----Original Message-----
From: richard [at] buzzhost [mailto:richard [at] buzzhost]
Sent: Monday, November 09, 2009 8:47 AM
Cc: Spamassassin Mailing List
Subject: Re: [SPAM:6.0] Spam coming from hotmail.

On Mon, 2009-11-09 at 07:56 -0500, Casartello, Thomas wrote:
> I’ve been getting a lot of non-scoring spam coming from hotmail over
> the last couple weeks. It’s one user that’s been complaining about it.
>
> Here’s a few samples:
{serious ascii murder commited}

I could not stop laughing at this given the context...

>
> ______________________________________________________________________
> Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign
> up now.

Attachments:

msg1.txt (2.82 KB)

msg2.txt (3.03 KB)

smime.p7s (4.09 KB)

uhlar at fantomas

Nov 9, 2009, 6:36 AM

Post #4 of 8 (731 views)
Permalink

Re: [SPAM:6.0] Spam coming from hotmail. [In reply to]

On 09.11.09 09:20, Casartello, Thomas wrote:
> Yeah I should have attached those instead of copying and pasting the
> Outlook crap. Was pretty stupid, my apologies.

no, you should have publiched them somewhere and paste a link. Sending spam
to any mailing list is a bad idea, unless the mailing list recommends that.

btw, it was this advertising signature what made him laugh:

> > ______________________________________________________________________
> > Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign
> > up now.

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...

richard at buzzhost

Nov 9, 2009, 7:09 AM

Post #5 of 8 (744 views)
Permalink

RE: [SPAM:6.0] Spam coming from hotmail. [In reply to]

<snip>
Running those through my SA gets the biggest hit for the second example
with the Indian link in the body. But that's a custom rule kindly given
to me by of one of the good people on this list.

I'm more concerned with this:

X-Originating-IP: [189.69.146.53]

In Brazil yet my relay module does not seem to be biting on it.

tcasartello at wsc

Nov 9, 2009, 7:18 AM

Post #6 of 8 (734 views)
Permalink

RE: [SPAM:6.0] Spam coming from hotmail. [In reply to]

Someone kindly showed me pastebin. Here are my samples FINALLY in proper
form (my apologies for any inconvenience.):
http://pastebin.com/m44e99f80
http://pastebin.com/m4a64ab62

Oh that's a good point. That is pretty funny, obviously their outgoing
protection isn't too good.

Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State College

Red Hat Certified Technician (RHCT)

-----Original Message-----
From: Matus UHLAR - fantomas [mailto:uhlar [at] fantomas]
Sent: Monday, November 09, 2009 9:36 AM
To: users [at] spamassassin
Subject: Re: [SPAM:6.0] Spam coming from hotmail.

On 09.11.09 09:20, Casartello, Thomas wrote:
> Yeah I should have attached those instead of copying and pasting the
> Outlook crap. Was pretty stupid, my apologies.

no, you should have publiched them somewhere and paste a link. Sending spam
to any mailing list is a bad idea, unless the mailing list recommends that.

btw, it was this advertising signature what made him laugh:

> > ______________________________________________________________________
> > Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign
> > up now.

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...

Attachments:

smime.p7s (4.09 KB)

rwmaillists at googlemail

Nov 9, 2009, 9:12 AM

Post #7 of 8 (736 views)
Permalink

Re: [SPAM:6.0] Spam coming from hotmail. [In reply to]

On Mon, 09 Nov 2009 15:09:18 +0000
"richard [at] buzzhost" <richard [at] buzzhost> wrote:

> <snip>
> Running those through my SA gets the biggest hit for the second
> example with the Indian link in the body. But that's a custom rule
> kindly given to me by of one of the good people on this list.
>
> I'm more concerned with this:
>
> X-Originating-IP: [189.69.146.53]
>
> In Brazil yet my relay module does not seem to be biting on it.

The list of country codes in the X-Spam-Relay-Countries header
corresponds to the list of untrusted relays - which is taken from the
received headers.

richard at buzzhost

Nov 9, 2009, 9:25 AM

Post #8 of 8 (732 views)
Permalink

Re: Spam coming from hotmail. [In reply to]

On Mon, 2009-11-09 at 17:12 +0000, RW wrote:
> On Mon, 09 Nov 2009 15:09:18 +0000
> "richard [at] buzzhost" <richard [at] buzzhost> wrote:
>
> > <snip>
> > Running those through my SA gets the biggest hit for the second
> > example with the Indian link in the body. But that's a custom rule
> > kindly given to me by of one of the good people on this list.
> >
> > I'm more concerned with this:
> >
> > X-Originating-IP: [189.69.146.53]
> >
> > In Brazil yet my relay module does not seem to be biting on it.
>
> The list of country codes in the X-Spam-Relay-Countries header
> corresponds to the list of untrusted relays - which is taken from the
> received headers.

Thanks RW - You've probably forgotten more about SA than I'll ever know,
so I appreciate your time in responding.

It would be infinitely useful for me to match strings like:

X-Originating-IP: [189.69.146.53]

to country and block upon the result of that test. Basically I would
happy with X-Originating-IP: [....] being in the UK, USA and parts of
Europe, but I would like to kill any that come from Brazil, Columbia,
China etc.

I'm getting confused as to if I can do this with SA - I think I'm clear
that the Relay Countries won't look at this kind of header(?), and that
checking them against blocklists is not appropriate as by nature they
will probably be in the PBL. But is there a way to grab these by
geographic location and block? I see this often with Hotmail spam and
whilst I would love to just block hotmail period, that would be a BOFH
move that would not go down well :-)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads