Mailing List Archive: SpamAssassin: users

well, isnt that special...

Index | Next | Previous | View Threaded

lists07 at abbacomm

Nov 25, 2009, 7:53 AM

Post #1 of 20 (1484 views)
Permalink

well, isnt that special...

just got spammed via constant contact via Aloha Communications Group on our
"email lists" email address from afritsch [at] aloha-com

obviously trolling for email addresses

would the Constant Contact employee(s) and advocate on this list please kick
some hiney after you are done rolling around in the money pile?

on a much more important note, can those on the list that have a good handle
on better filtering spam and/or UCE from Constant please share your SA info
on that please?

- rh

list-subs at secnap

Nov 25, 2009, 8:12 AM

Post #2 of 20 (1445 views)
Permalink

Re: well, isnt that special... [In reply to]

R-Elists wrote:
> just got spammed via constant contact via Aloha Communications Group on our
> "email lists" email address from afritsch [at] aloha-com
>
> obviously trolling for email addresses
>
> would the Constant Contact employee(s) and advocate on this list please kick
> some hiney after you are done rolling around in the money pile?
>
> on a much more important note, can those on the list that have a good handle
> on better filtering spam and/or UCE from Constant please share your SA info
> on that please?
>
> - rh
>
>
>
header CONSTANTCONTACT List-Unsubscribe =~ /\bconstantcontact\.com\b/
score CONSTANTCONTACT 0.6

we score it pretty low since most of the constantcontact users arn't
abusers. but we score it, keep track of it, and clients complain about
missed spam, we bump it up, then drop it down when FP, then bump it up..
(rinse, repeat)

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________

owenc at hubris

Nov 25, 2009, 8:38 AM

Post #3 of 20 (1444 views)
Permalink

Re: well, isnt that special... [In reply to]

On Nov 25, 2009, at 10:12 AM, Michael Scheidell wrote:

> R-Elists wrote:
>> on a much more important note, can those on the list that have a good handle
>> on better filtering spam and/or UCE from Constant please share your SA info
>> on that please?
>>
> header CONSTANTCONTACT List-Unsubscribe =~ /\bconstantcontact\.com\b/
> score CONSTANTCONTACT 0.6
>
> we score it pretty low since most of the constantcontact users arn't abusers. but we score it, keep track of it, and clients complain about missed spam, we bump it up, then drop it down when FP, then bump it up..
> (rinse, repeat)

This is mostly conjecture on my part but I think CC does some of the work for you. For years we did SMTP level rejects from roving.com hosts and this seemed to have blocked a lot of the CC crap. I think CC may segregate unknown/untrusted senders in roving.com rather than constantcontact.com.

At any rate no one ever complained about the roving.com block until we had a customer who couldn't send themselves mail from their own lists. Knowing this customer only reinforces my theory because their lists are dirty as hell.

Chris

-------------------------------------------------------------------------
Chris Owen - Garden City (620) 275-1900 - Lottery (noun):
President - Wichita (316) 858-3000 - A stupidity tax
Hubris Communications Inc www.hubris.net
-------------------------------------------------------------------------

tara at natanson

Nov 25, 2009, 8:46 AM

Post #4 of 20 (1448 views)
Permalink

Re: well, isnt that special... [In reply to]

On Wed, Nov 25, 2009 at 10:53 AM, R-Elists <lists07 [at] abbacomm> wrote:

>
>
> just got spammed via constant contact via Aloha Communications Group on our
> "email lists" email address from afritsch [at] aloha-com
>
> obviously trolling for email addresses
>
> would the Constant Contact employee(s) and advocate on this list please
> kick
> some hiney after you are done rolling around in the money pile?
>
>
I've got Compliance on it already thanks. And if I find the money pile I'll
let ya know. ;)
I'll report back to you what they find.

ned at unixmail

Nov 25, 2009, 9:04 AM

Post #5 of 20 (1444 views)
Permalink

Re: well, isnt that special... [In reply to]

R-Elists wrote:
>
> just got spammed via constant contact via Aloha Communications Group on our
> "email lists" email address from afritsch [at] aloha-com
>
> obviously trolling for email addresses
>
> would the Constant Contact employee(s) and advocate on this list please kick
> some hiney after you are done rolling around in the money pile?
>
> on a much more important note, can those on the list that have a good handle
> on better filtering spam and/or UCE from Constant please share your SA info
> on that please?
>

Here's mine:

uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b}
score LOCAL_URI_C_CONTACT 12
describe LOCAL_URI_C_CONTACT contains link to constant contact [dot] com

Got fed up with these clowns a long time ago so I hammer anything from
them on sight.

aawolfe at gmail

Nov 25, 2009, 9:18 AM

Post #6 of 20 (1446 views)
Permalink

Re: well, isnt that special... [In reply to]

On Wed, Nov 25, 2009 at 12:04 PM, Ned Slider <ned [at] unixmail> wrote:
> R-Elists wrote:
>>
>> just got spammed via constant contact via Aloha Communications Group on
>> our
>> "email lists" email address from afritsch [at] aloha-com
>>
>> obviously trolling for email addresses
>>
>> would the Constant Contact employee(s) and advocate on this list please
>> kick
>> some hiney after you are done rolling around in the money pile?
>>
>> on a much more important note, can those on the list that have a good
>> handle
>> on better filtering spam and/or UCE from Constant please share your SA
>> info
>> on that please?
>>
>
> Here's mine:
>
> uri � � � � � � LOCAL_URI_C_CONTACT � � m{constantcontact\.com\b}
> score � � � � � LOCAL_URI_C_CONTACT � � 12
> describe � � � �LOCAL_URI_C_CONTACT � � contains link to constant contact
> [dot] com
>
> Got fed up with these clowns a long time ago so I hammer anything from them
> on sight.

That score is a bit extreme, but I've also found that a small positive
score is appropriate for constantcrap mail.

-Aaron

ned at unixmail

Nov 25, 2009, 9:34 AM

Post #7 of 20 (1446 views)
Permalink

Re: well, isnt that special... [In reply to]

Aaron Wolfe wrote:
> On Wed, Nov 25, 2009 at 12:04 PM, Ned Slider <ned [at] unixmail> wrote:
>> R-Elists wrote:
>>>
>>> on a much more important note, can those on the list that have a good
>>> handle
>>> on better filtering spam and/or UCE from Constant please share your SA
>>> info
>>> on that please?
>>>
>> Here's mine:
>>
>> uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b}
>> score LOCAL_URI_C_CONTACT 12
>> describe LOCAL_URI_C_CONTACT contains link to constant contact
>> [dot] com
>>
>> Got fed up with these clowns a long time ago so I hammer anything from them
>> on sight.
>
> That score is a bit extreme, but I've also found that a small positive
> score is appropriate for constantcrap mail.
>
> -Aaron
>

Indeed, and I wouldn't advocate anyone following *my* scoring, just
posted the rule as an example of one way to whack this particular mole :)

I chose the high score to counteract any dns whitelists or AWL negative
scoring etc that may otherwise rescue their crap from being marked as
spam on my system. If there's anything I particularly want I can
whitelist it, but the default action here is to tag and quarantine all
mail from Constant Contact. The high score probably also reflects my
level of frustration with them at the time I wrote the rule!

richard at buzzhost

Nov 25, 2009, 9:55 AM

Post #8 of 20 (1448 views)
Permalink

Re: well, isnt that special... [In reply to]

On Wed, 2009-11-25 at 17:34 +0000, Ned Slider wrote:
> Aaron Wolfe wrote:
> > On Wed, Nov 25, 2009 at 12:04 PM, Ned Slider <ned [at] unixmail> wrote:
> >> R-Elists wrote:
> >>>
> >>> on a much more important note, can those on the list that have a good
> >>> handle
> >>> on better filtering spam and/or UCE from Constant please share your SA
> >>> info
> >>> on that please?
> >>>
> >> Here's mine:
> >>
> >> uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b}
> >> score LOCAL_URI_C_CONTACT 12
> >> describe LOCAL_URI_C_CONTACT contains link to constant contact
> >> [dot] com
> >>
> >> Got fed up with these clowns a long time ago so I hammer anything from them
> >> on sight.
> >
> > That score is a bit extreme, but I've also found that a small positive
> > score is appropriate for constantcrap mail.
> >
> > -Aaron
> >
>
> Indeed, and I wouldn't advocate anyone following *my* scoring, just
> posted the rule as an example of one way to whack this particular mole :)
>
> I chose the high score to counteract any dns whitelists or AWL negative
> scoring etc that may otherwise rescue their crap from being marked as
> spam on my system. If there's anything I particularly want I can
> whitelist it, but the default action here is to tag and quarantine all
> mail from Constant Contact. The high score probably also reflects my
> level of frustration with them at the time I wrote the rule!

I don't think that's harsh at all Ned. I have a different solution:

#CHEETAH (EXPERIAN)
iptables -A FIREWALL -s 66.165.100.0/24 -j DROP
#CONSTANT CONTACT
iptables -A FIREWALL -s 63.251.0.0/16 -j DROP
iptables -A FIREWALL -s 66.151.234.144/28 -j DROP
iptables -A FIREWALL -s 208.75.120.0/22 -j DROP
#dotmailer offenders
iptables -A FIREWALL -s 80.87.10.0/30 -j DROP
iptables -A FIREWALL -s 80.87.10.4/31 -j DROP
iptables -A FIREWALL -s 80.87.10.6/32 -j DROP

Any more ranges most welcome :-)

me at junc

Nov 25, 2009, 10:20 AM

Post #9 of 20 (1447 views)
Permalink

Re: well, isnt that special... [In reply to]

On ons 25 nov 2009 18:55:11 CET, "richard [at] buzzhost" wrote
> Any more ranges most welcome :-)

iptables -A FIREWALL -s 127.0.0.0/8 -j DROP

--
xpoint

lists07 at abbacomm

Nov 25, 2009, 10:43 AM

Post #10 of 20 (1442 views)
Permalink

RE: well, isnt that special... [In reply to]

thanks Tara, not the hugest biggie...

yet since we are only on a few select lists and use this email address, i
figured several others on this list were getting it too

i did forward both to abuse at your site with headers

happy gobble gobble everyone!

- rh

I've got Compliance on it already thanks. And if I find the money pile I'll
let ya know. ;)
I'll report back to you what they find.

lists07 at abbacomm

Nov 25, 2009, 10:49 AM

Post #11 of 20 (1435 views)
Permalink

RE: well, isnt that special... [In reply to]

>
> uri LOCAL_URI_C_CONTACT m{constantcontact\.com\b}
> score LOCAL_URI_C_CONTACT 12
> describe LOCAL_URI_C_CONTACT contains link to
> constant contact [dot] com
>

thanks Ned,

i do have a coupla companies that use CC for email so i wont totally whack.
they are getting a bit to generous on those marking emails to me though.

umm side note, i spose to Tara...

is Constant Contact like the default email marketing system (or one of them)
for salesforce.com or whatever other large "online" customer management
software??? or do you own them or they own you or what is the scoop?

- rh

mysqlstudent at gmail

Nov 25, 2009, 11:04 AM

Post #12 of 20 (1443 views)
Permalink

Re: well, isnt that special... [In reply to]

> iptables -A FIREWALL -s 127.0.0.0/8 -j DROP

Nah, use REJECT so you get that immediate satisfaction :-)

Alex

tara at natanson

Nov 25, 2009, 11:37 AM

Post #13 of 20 (1437 views)
Permalink

Re: well, isnt that special... [In reply to]

On Wed, Nov 25, 2009 at 1:49 PM, R-Elists <lists07 [at] abbacomm> wrote:

>
>
> umm side note, i spose to Tara...
>
> is Constant Contact like the default email marketing system (or one of
> them)
> for salesforce.com or whatever other large "online" customer management
> software??? or do you own them or they own you or what is the scoop?
>
>
Someone recently developed an API to port your salesforce contacts to CC
(same permission standards apply). There are a few others out there like
Quickbooks I think who have built similar APIs.

Any reason in particular?

Tara

richard at buzzhost

Nov 25, 2009, 11:40 AM

Post #14 of 20 (1445 views)
Permalink

Re: well, isnt that special... [In reply to]

On Wed, 2009-11-25 at 19:20 +0100, Benny Pedersen wrote:
> On ons 25 nov 2009 18:55:11 CET, "richard [at] buzzhost" wrote
> > Any more ranges most welcome :-)
>
> iptables -A FIREWALL -s 127.0.0.0/8 -j DROP
>
Very good. That was nearly funny :-) Why don't you add:
iptables -A FIREWALL -s 0.0.0.0/0 -j DROP and enjoy the silence :-)

richard at buzzhost

Nov 25, 2009, 11:42 AM

Post #15 of 20 (1438 views)
Permalink

Re: well, isnt that special... [In reply to]

On Wed, 2009-11-25 at 14:04 -0500, Alex wrote:
> > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP
>
> Nah, use REJECT so you get that immediate satisfaction :-)
>
> Alex

NO NO NO NO NO!
Drop has the effect of tarpitting them :-) As the Supremes sang;
"Set me free why don't you baby? .... You just keep me hangin' on...."

mysqlstudent at gmail

Nov 25, 2009, 2:29 PM

Post #16 of 20 (1438 views)
Permalink

Re: well, isnt that special... [In reply to]

>> iptables -A FIREWALL -s 127.0.0.0/8 -j DROP
>>
> Very good. That was nearly funny :-) Why don't you add:
> iptables -A FIREWALL -s 0.0.0.0/0 -j DROP and enjoy the silence :-)

Trouble is that you have to be the one that drives to the colo to
eventually undo the rules :-)

Speaking of fw rules, has anyone considered something to automate the
SANS top 10?

http://isc.sans.org/top10.html

Would that be effective?

Alex

sa-list at alexb

Nov 25, 2009, 3:08 PM

Post #17 of 20 (1431 views)
Permalink

Re: well, isnt that special... [In reply to]

On 11/25/2009 11:29 PM, Alex wrote:
>>> iptables -A FIREWALL -s 127.0.0.0/8 -j DROP
>>>
>> Very good. That was nearly funny :-) Why don't you add:
>> iptables -A FIREWALL -s 0.0.0.0/0 -j DROP and enjoy the silence :-)
>
> Trouble is that you have to be the one that drives to the colo to
> eventually undo the rules :-)
>
> Speaking of fw rules, has anyone considered something to automate the
> SANS top 10?
>
> http://isc.sans.org/top10.html
>
> Would that be effective?

not relevant to Spamassassin, is it?

if you have to go way off topic at pleas be considerat and add an OT:
tag to the subject.. > /dev/null

or try: http://spam-l.com/mailman/listinfo

per at computer

Nov 26, 2009, 12:20 AM

Post #18 of 20 (1413 views)
Permalink

Re: well, isnt that special... [In reply to]

richard [at] buzzhost wrote:

> On Wed, 2009-11-25 at 14:04 -0500, Alex wrote:
>> > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP
>>
>> Nah, use REJECT so you get that immediate satisfaction :-)
>>
>> Alex
>
> NO NO NO NO NO!
> Drop has the effect of tarpitting them :-)

Not quite, tarpitting is the next step.

/Per Jessen, Zürich

richard at buzzhost

Nov 26, 2009, 1:24 AM

Post #19 of 20 (1404 views)
Permalink

Re: well, isnt that special... [In reply to]

On Thu, 2009-11-26 at 08:57 +0100, Per Jessen wrote:
> richard [at] buzzhost wrote:
>
> > On Wed, 2009-11-25 at 14:04 -0500, Alex wrote:
> >> > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP
> >>
> >> Nah, use REJECT so you get that immediate satisfaction :-)
> >>
> >> Alex
> >
> > NO NO NO NO NO!
> > Drop has the effect of tarpitting them :-)
>
> Not quite, tarpitting is the next step.
>
>
> /Per Jessen, Zürich
>
Hence 'The effect', that is - to delay progress. They send SYN, no
answer (but they wait for the answer) hence, has the effect. Sure, it's
not as good as redirecting them to, say port 2525 where a dedicated
FUAMTA is waiting, but I'm considering that :-)

per at computer

Nov 26, 2009, 4:20 AM

Post #20 of 20 (1414 views)
Permalink

Re: well, isnt that special... [In reply to]

richard [at] buzzhost wrote:

> On Thu, 2009-11-26 at 08:57 +0100, Per Jessen wrote:
>> richard [at] buzzhost wrote:
>>
>> > On Wed, 2009-11-25 at 14:04 -0500, Alex wrote:
>> >> > iptables -A FIREWALL -s 127.0.0.0/8 -j DROP
>> >>
>> >> Nah, use REJECT so you get that immediate satisfaction :-)
>> >>
>> >> Alex
>> >
>> > NO NO NO NO NO!
>> > Drop has the effect of tarpitting them :-)
>>
>> Not quite, tarpitting is the next step.
>>
>>
>> /Per Jessen, Zürich
>>
> Hence 'The effect', that is - to delay progress. They send SYN, no
> answer (but they wait for the answer) hence, has the effect.

Very true - I was thinking more in terms of the iptables tarpit module.
I think there is a postgrey tarpit extension too.

/Per Jessen, Zürich

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads