Mailing List Archive

The latest bitcoin spam 1/22/19
Sent to me personally. Incredible amount of obfuscation. They are all
coming in from hosts in 185.118.165 and 185.118.166.

Note on X-Spam-Score header-- the local rule CU_INVOICE accounts for 0.5,
HTML_MESSAGE is 0.01, and CU_SPF_softfail is just information with a zero
score.

https://pastebin.com/p6xaWcA7

Joseph Brennan
Columbia U
Re: The latest bitcoin spam 1/22/19 [ In reply to ]
Are you using KAM.cf rules? The crim rules are designed for these.

On Tue, Jan 22, 2019, 12:27 Joseph Brennan <brennan@columbia.edu wrote:

>
> Sent to me personally. Incredible amount of obfuscation. They are all
> coming in from hosts in 185.118.165 and 185.118.166.
>
> Note on X-Spam-Score header-- the local rule CU_INVOICE accounts for 0.5,
> HTML_MESSAGE is 0.01, and CU_SPF_softfail is just information with a zero
> score.
>
> https://pastebin.com/p6xaWcA7
>
> Joseph Brennan
> Columbia U
>
>
Re: The latest bitcoin spam 1/22/19 [ In reply to ]
On 22 Jan 2019, at 12:26, Joseph Brennan wrote:

> Sent to me personally. Incredible amount of obfuscation. They are all
> coming in from hosts in 185.118.165 and 185.118.166.
>
> Note on X-Spam-Score header-- the local rule CU_INVOICE accounts for
> 0.5,
> HTML_MESSAGE is 0.01, and CU_SPF_softfail is just information with a
> zero
> score.

Rules in the current default ruleset score that above 7 by any of the
scoresets, excluding scores from Bayes & DNSBLs.
Have you run sa-update in the past month?

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Re: The latest bitcoin spam 1/22/19 [ In reply to ]
On 22 Jan 2019, at 12:30, Kevin A. McGrail wrote:

> Are you using KAM.cf rules? The crim rules are designed for these.

Unfortunately, only 3 of the subrules match.

However, as I said in my prior message, the stock rules do catch this one.
Re: The latest bitcoin spam 1/22/19 [ In reply to ]
On Tue, 22 Jan 2019, Joseph Brennan wrote:

> Sent to me personally. Incredible amount of obfuscation.

Okay, it looks like the fuzzy versions are still needed...

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Forces of tyranny expand inexorably to fill the space
made available for their existence. -- Jordan B. Peterson
-----------------------------------------------------------------------
Tomorrow: John Moses Browning's 164th Birthday
Re: The latest bitcoin spam 1/22/19 [ In reply to ]
On Tue, 22 Jan 2019, John Hardin wrote:

> On Tue, 22 Jan 2019, Joseph Brennan wrote:
>
>> Sent to me personally. Incredible amount of obfuscation.
>
> Okay, it looks like the fuzzy versions are still needed...

Restored.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Tomorrow: John Moses Browning's 164th Birthday
Re: The latest bitcoin spam 1/22/19 [ In reply to ]
On 1/22/2019 2:46 PM, John Hardin wrote:
> On Tue, 22 Jan 2019, Joseph Brennan wrote:
>
>> Sent to me personally. Incredible amount of obfuscation.
>
> Okay, it looks like the fuzzy versions are still needed...
>
I've added a few tweaks to my CRIM rules as well.

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171